[Bro] Problem reading pcap file

Vladimir Arseniev vladimira at vfemail.net
Sun Oct 19 19:19:08 PDT 2014


While this is fundamentally an old question, the old answers aren't
working for me. Using "bro -r", I get the classic "invalid UDP
checksums" error. Using "bro -rC" (or "bro -r -C"), I get numerous
errors about unrecognized characters (even with the "-r" flag).

Using "bro -Cr" (or "bro -C -r"), I get no shell errors. However, I see
just 13 packets in "conn.log" vs 24311 packets expected. Perhaps this is
the new piece of my question (plus why "-rC" <> "-Cr").

How do I fix this?

Some details might be useful. I compiled from bro-2.3.1.tar.gz in Debian
7.6 x64. I'm working with a 32MB capture from a Centos 6.5 VPS. I used
dumpcap with a ring buffer:

dumpcap -b filesize:102400 -b files:10 -i eth0 -w /home/user/eth0

I used Wireshark to restrict eth0_00001_20141014111022 to IPv4, yielding
eth0_00001_20141014111022_IPv4. Then I used "editcap -F libpcap" to
convert to eth0_00001_20141014111022_IPv4.pcap (hereinafter "eth0.pcap").

I get no joy reading eth0.pcap with bro:

bro -r eth0.pcap
1413340801.822519 warning in
/usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line
54: Your trace file likely has invalid UDP checksums, most likely from
NIC checksum offloading.

bro -rC eth0.pcap
error in ./eth0.pcap, line 1: unrecognized character -
...
error in ./eth0.pcap, line 1: unknown identifier t, at or near "t"

bro -Cr eth0.pcap
[completes without errors, but conn.log is just 2.4KB]

cat conn.log
[see expected headers, but just 13 data lines]
#close	2014-10-19-20-26-47




More information about the Bro mailing list