[Bro] how to merge rx and tx from different pcaps / slightly off-topic

Matthias Vallentin vallentin at icir.org
Wed Sep 9 09:16:28 PDT 2015


> It looks like Bro not seeing the data in the correct order. But from what I
> read in mergecap source in merge_read_packet() this should work as intended:
> "Read the next packet, in chronological order, from the set of files to be
> merged."

You could give this a shot:

    ipsumdump --collate -r *.pcap -w merged.pcap

Unlike mergecap, ipsumdump does not assume packets are sorted within the
trace.

    Matthias


More information about the Bro mailing list