[Bro] Is it possible to export pcap for a given event / connection?
Daniel Guerra
daniel.guerra69 at gmail.com
Wed Sep 23 15:35:19 PDT 2015
There is way to extract the application layer.
Check /usr/local/bro/share/base/protocols/conn/contents.bro
> On 23 Sep 2015, at 18:56, Dirk Leinenbach <dirk at dirkleinenbach.de> wrote:
>
> Hi there,
>
> does bro provide some mechanism to find the packets that are related to (have caused) a given event or connection?
>
> Background: I'd like to be able to export pcap files in some situations for specific events; in that context I'm still able to get to the connection object, but I'd like to be able to see the original data as well for further analysis with Wireshark.
>
> One possibility would be to reconstruct filters from the event to filter the original trace retrospectively. But I'm wondering if there is a more direct way to identify / extract the relevant packets.
>
> Thanks for your help,
>
> Dirk
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150924/aaa5a0bc/attachment.html
More information about the Bro
mailing list