[Bro] saving the binary information at pcap
Oguz Yarimtepe
oguzyarimtepe at gmail.com
Wed May 16 22:53:56 PDT 2012
Hi,
On Wed, 16 May 2012 16:37:00 -0400
Seth Hall <seth at icir.org> wrote:
> What are you referring to as binaries? You are going to need to explain what you are trying to accomplish in more detail.
When i run
bro -r somepcapfile base/protocols/conn/ (the aim is to make the contents.bro loaded, but i might be writing the wrong path now, i couldn't remembe the whole path of contencts.bro directory installed)
i got some dat files. They have names_
contencts_192.168.1.10_4356_193.255.98.2_80_orig.dat
contencts_192.168.1.10_4356_193.255.98.2_80_resp.dat
Each has the result of tcp reassembly sessions. I saved my port 80 traffic when i browse to an address to www.milliyet.com.tr, so the results has images, js files, returned HTMLs eveything that can a web site has.
By traversing each file, i can save the contents separetely. It seems the response dat files has the saved information like images, htmlfiles, texts in plain format.
Is there a way to tell Bro that ok don't save this response as a single file, but save the images here, js files here, etc. Or can i use Brocolli Python binding for it?
--
Oguz Yarimtepe <oguzyarimtepe at gmail.com>
More information about the Bro
mailing list