[Bro] Issue when Bro is reading a file which capturing live traffic

Hashem Alaidaros aidaros.dev at gmail.com
Mon Dec 28 19:35:29 PST 2015


Thanks Franky for your reply.
in my research, I'm requested to run bro in offline mode for further
analysis and forensics.

Any idea how to resolve the issue.

Thanks

On Mon, Dec 28, 2015 at 5:02 PM, Frank Meier <franky.meier.1 at gmx.de> wrote:

>
> Hi Hashem,
>
> On Thu, 24 Dec 2015 05:55:08 +0300
> Hashem Alaidaros <aidaros.dev at gmail.com> wrote:
>
> > Hi All,
> > I run tcpdump live to capture the traffic into a file using "-w".
> > Then I run bro to read that file offline using "-r".
> > Both instances are running continuously. First it works fine but then
> > bro stop generating results although it keep running, this means bro
> > didn't continue reading from the file. Is it because bro -r is faster
> > than the live capturing?
>
> I guesst that is what's happening, but I did not test.
> Why don't you just let bro and tcpdump read from the network interface?
>
> Franky
>



-- 
A friend in need Is a friend indeed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151229/98391bb6/attachment.html 


More information about the Bro mailing list