[Bro] Split PCAPs & Partial Connections
Shane Castle
shane.castle at gmail.com
Mon Jun 9 02:17:08 PDT 2014
A few questions arise:
How did you run mergecap? Does the behavior change if you run it using
-a? Do the two pcap files immediately follow one another in timestamps,
that is, does file2 start exactly where file1 stops? Is the merged pcap
file about equal to size(file1) plus size(file2), or is it significantly
larger?
--
Mit besten Grüßen
Shane Castle
On 09.06.2014 09:59, Jason wrote:
> Has anyone here run into this problem before? It seems to be the same
> for http.log files as well.
>
> Thanks!
> Jason
>
>
> On Fri, Jun 6, 2014 at 8:34 AM, dn1nj4 <dn1nj4 at gmail.com
> <mailto:dn1nj4 at gmail.com>> wrote:
>
> Hello all,
>
> I am batch processing some periodic PCAP files to extract SSL
> certificates. I noticed if I do bro -r file1, followed by bro -r
> file2, I end up with two ssl.log files totalling ~1500 lines.
> However, if I mergecap file1 & file2 and run bro -r merged, my
> ssl.log is ~7000 lines.
>
> After searching the list archive and current bro docs, I thought
> this might be a partial connection problem. So I tried a redef
> partial_connection_ok = T; but that did not seem to have any effect.
>
> Any insights into how I might fix the discrepancy would be greatly
> appreciated.
>
> Jason
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list