[Bro] Tracking PCAP file sources?
David Vessey
jdvessey at gmail.com
Fri Oct 28 05:57:23 PDT 2016
Hi there,
I've tried to find this in the docs and even tried exploring source code.
This use case is more around after the fact network forensics, when working
with PCAP files.
If I have a bunch of pcaps, and I run bro like:
$ bro -r input1.pcap -r input2.pcap -r input3.pcap
Is there some way to associate bro's connection IDs back to contributing
pcap(s)?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161028/e996961b/attachment.html
More information about the Bro
mailing list