[Bro] Is it possible to export pcap for a given event / connection?
James Lay
jlay at slave-tothe-box.net
Wed Sep 23 14:47:06 PDT 2015
On 2015-09-23 11:27 AM, Hosom, Stephen M wrote:
> Dirk,
>
> Bro doesn't really have a good way to export packet captures.
>
> You would be best off running something like time machine or
> stenographer (both open source packet capture projects) and then using
> Bro to export the small pcap related to the connection you want. If
> you'd like some pointers on how to do that, let me know. I've got some
> similar stuff going on in my environment.
>
> Thanks,
>
> Stephen
>
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> Dirk Leinenbach
> Sent: Wednesday, September 23, 2015 12:56 PM
> To: bro at bro.org
> Subject: [Bro] Is it possible to export pcap for a given event /
> connection?
>
> Hi there,
>
> does bro provide some mechanism to find the packets that are related
> to (have caused) a given event or connection?
>
> Background: I'd like to be able to export pcap files in some
> situations for specific events; in that context I'm still able to get
> to the connection object, but I'd like to be able to see the original
> data as well for further analysis with Wireshark.
>
> One possibility would be to reconstruct filters from the event to
> filter the original trace retrospectively. But I'm wondering if there
> is a more direct way to identify / extract the relevant packets.
>
> Thanks for your help,
>
> Dirk
We use dumpcap from wireshark from source for packet capture...example
below:
/usr/local/bin/dumpcap -q -b filesize:409600 -b files:50 -Z none -f 'ip
and port 25' -i eth2 -w /home/pcaps/mailcapture/mailtraffic.pcap
which creates 50 400 meg files and will start to overwrite after
50...works well when run on the same box as bro-ids...very easy to
correlate and pluck out what I want.
James
More information about the Bro
mailing list