[Bro] Issue when Bro is reading a file which capturing live traffic
Frank Meier
franky.meier.1 at gmx.de
Mon Dec 28 06:02:40 PST 2015
Hi Hashem,
On Thu, 24 Dec 2015 05:55:08 +0300
Hashem Alaidaros <aidaros.dev at gmail.com> wrote:
> Hi All,
> I run tcpdump live to capture the traffic into a file using "-w".
> Then I run bro to read that file offline using "-r".
> Both instances are running continuously. First it works fine but then
> bro stop generating results although it keep running, this means bro
> didn't continue reading from the file. Is it because bro -r is faster
> than the live capturing?
I guesst that is what's happening, but I did not test.
Why don't you just let bro and tcpdump read from the network interface?
Franky
More information about the Bro
mailing list