[Bro] Issue with small pcap files and -r
Mike Sconzo
sconzo at visiblerisk.com
Mon Jan 7 15:48:38 PST 2013
When running bro in stand alone mode is there a size cutoff for it to
do anything with a pcap file?
In bro 2.0 and 2.1 if I run, on a small pcap (76k through 6mb):
bro -C -r ./input.pcap /usr/local/bro/share/bro/site/local.bro
it only creates
loaded_scripts.log
notice_policy.log
packet_filter.log
However, if I run the same commandline on a larger pcap 512mb it
produces more "normal" logs.
conn.log
http.log
etc...
I've looked through the pcaps in snort, wireshark, tcpdump, and tshark
and none of them have issues reading any of the small pcap files
(snort will also flag alerts where appropriate). There is app data
where expected in packet payloads and multiple setup/teardowns per
pcap.
I skimmed through the trace file and didn't see anything that looked
like an error.
Am I missing something simple? Does this have implications with
running bro in production?
Thanks,
-=Mike
--
cat ~/.bash_history > documentation.txt
More information about the Bro
mailing list