[Bro] bro protocol detection from pcap
Oguz Yarimtepe
oguzyarimtepe at gmail.com
Thu Apr 19 01:14:21 PDT 2012
Hi,
I installed Bro 2.0 and tried to use its dpd functionality to detect application level protocols. I attacted two pcap.
Running bro for test-http.pcap results in http detection at the conn.log
# bro -p broctl -p broctl-live -p standalone -p local -p bro -r webdav.pcap
# bro-cut service < conn.log
conn.log
http
Then i wrote a script to extract TCP flows and save them as different pcap files. The idea is to keep the packets with the same source ip, source port, destination ip, destination port (on direction) or another direction in the same pcap file.
One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.
# bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap
# bro-cut service < conn.log
-
-
But when i try it via tshark i can get the protocol information
# tshark -q -z io,phs -r 213.pcap
tshark: Lua: Error during loading:
[string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:74 bytes:207091
ip frames:74 bytes:207091
tcp frames:74 bytes:207091
http frames:1 bytes:865
Any idea what the reason is?
Am i running the right paramater for bro to detect the application level protocol (dpd)?
--
Oguz Yarimtepe <oguzyarimtepe at gmail.com>
http://about.me/oguzy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: webdav.pcap
Type: application/cap
Size: 12382 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120419/28f34792/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 213.pcap
Type: application/cap
Size: 208299 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120419/28f34792/attachment-0001.bin
More information about the Bro
mailing list