[Bro] how to merge rx and tx from different pcaps / slightly off-topic
Frank Meier
franky.meier.1 at gmx.de
Thu Sep 10 00:58:45 PDT 2015
Hi,
On Mi, Sep 9, 2015 at 6:16 , Matthias Vallentin <vallentin at icir.org>
wrote:
>> It looks like Bro not seeing the data in the correct order. But
>> from what I
>> read in mergecap source in merge_read_packet() this should work as
>> intended:
>> "Read the next packet, in chronological order, from the set of
>> files to be
>> merged."
>
> You could give this a shot:
>
> ipsumdump --collate -r *.pcap -w merged.pcap
>
> Unlike mergecap, ipsumdump does not assume packets are sorted within
> the
> trace.
>
thanks, this is an idea, but with my first run of mergecap I made sure,
the order is correct. (verfied with capinfos -o).
Beside from that it looks better now: Only 3300 lines of weird.log with
115000 in conn.log.
I will investigate further, if the data in the pcaps is wrong or if bro
is to blame.
Franky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150910/879ec82d/attachment.html
More information about the Bro
mailing list