[Bro] how to merge rx and tx from different pcaps / slightly off-topic
Matthias Vallentin
vallentin at icir.org
Wed Sep 9 09:16:28 PDT 2015
> It looks like Bro not seeing the data in the correct order. But from what I
> read in mergecap source in merge_read_packet() this should work as intended:
> "Read the next packet, in chronological order, from the set of files to be
> merged."
You could give this a shot:
ipsumdump --collate -r *.pcap -w merged.pcap
Unlike mergecap, ipsumdump does not assume packets are sorted within the
trace.
Matthias
More information about the Bro
mailing list