[Bro] I want to capture certain traffic using input framework

Jan Grashoefer jan.grashofer at cern.ch
Sun Sep 20 06:25:00 PDT 2015


Hi,

> FYI: I can use BPF (bro -f file.log), but in this case the issue is that
> bro has to be restart many times since the file keep adding new IPs so that
> the file.log is to be updated. I also find exclude filter function but that
> exclude, I want to include certain traffic to captured.

you can use the packet filter framework (see
https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html)
to install your filter live.

Regards,
Jan


More information about the Bro mailing list