[Bro] Log file issues
Robin Sommer
robin at icir.org
Mon Aug 24 10:44:21 PDT 2015
On Mon, Aug 24, 2015 at 12:44 -0400, Aaron Haycraft wrote:
> want to run a lot of PCAP files through it. For example, the lines of
> code I run are "bro -r test.pcap" and "bro -r test2.pcap", and so on.
> However, when I do so, the logs seem to overwrite after awhile and I lose a
> lot of data.
When you run Bro from the command line, everything in the trace you
give to an invocation will end up in a single set of logs files inside
the current directory. But if you then restart Bro with a different
trace, these logs will be overwritten with new ones (i.e., Bro won't
append the new data). You'll either need move them away before you
start the new Bro, or you could concanate all your traces into one
pcap stream on stdin and have Bro read from "-" (tcpslice and mergecap
can both do that).
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list