[Bro] bro protocol detection from pcap

Oguz Yarimtepe oguzyarimtepe at gmail.com
Thu Apr 19 01:14:21 PDT 2012 

Hi,

I installed Bro 2.0 and tried to use its dpd functionality to detect application level protocols. I attacted two pcap.
Running bro for test-http.pcap results in http detection at the conn.log

# bro -p broctl -p broctl-live -p standalone -p local -p bro -r webdav.pcap
# bro-cut service < conn.log
conn.log 
http

Then i wrote a script to extract TCP flows and save them as different pcap files. The idea is to keep the packets with the same source ip, source port, destination ip, destination port (on direction) or another direction in the same pcap file. 

One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.

# bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap
# bro-cut service < conn.log 
-
-

But when i try it via tshark i can get the protocol information

# tshark -q -z io,phs -r 213.pcap 
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:74 bytes:207091
  ip                                     frames:74 bytes:207091
    tcp                                  frames:74 bytes:207091
      http                               frames:1 bytes:865

Any idea what the reason is?

Am i running the right paramater for bro to detect the application level protocol (dpd)?

-- 
Oguz Yarimtepe <oguzyarimtepe at gmail.com>
http://about.me/oguzy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: webdav.pcap
Type: application/cap
Size: 12382 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120419/28f34792/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 213.pcap
Type: application/cap
Size: 208299 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120419/28f34792/attachment-0001.bin

More information about the Bro mailing list