[Bro] Split PCAPs & Partial Connections
Jason
dn1nj4 at gmail.com
Mon Jun 9 00:59:55 PDT 2014
Has anyone here run into this problem before? It seems to be the same for
http.log files as well.
Thanks!
Jason
On Fri, Jun 6, 2014 at 8:34 AM, dn1nj4 <dn1nj4 at gmail.com> wrote:
> Hello all,
>
> I am batch processing some periodic PCAP files to extract SSL
> certificates. I noticed if I do bro -r file1, followed by bro -r file2, I
> end up with two ssl.log files totalling ~1500 lines. However, if I mergecap
> file1 & file2 and run bro -r merged, my ssl.log is ~7000 lines.
>
> After searching the list archive and current bro docs, I thought this
> might be a partial connection problem. So I tried a redef
> partial_connection_ok = T; but that did not seem to have any effect.
>
> Any insights into how I might fix the discrepancy would be greatly
> appreciated.
>
> Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140609/5501c4c0/attachment.html
More information about the Bro
mailing list