[Bro] Is it possible to export pcap for a given event / connection?
Dirk Leinenbach
dirk at dirkleinenbach.de
Wed Sep 23 09:56:06 PDT 2015
Hi there,
does bro provide some mechanism to find the packets that are related to (have caused) a given event or connection?
Background: I'd like to be able to export pcap files in some situations for specific events; in that context I'm still able to get to the connection object, but I'd like to be able to see the original data as well for further analysis with Wireshark.
One possibility would be to reconstruct filters from the event to filter the original trace retrospectively. But I'm wondering if there is a more direct way to identify / extract the relevant packets.
Thanks for your help,
Dirk
More information about the Bro
mailing list