[Bro] Tracking PCAP file sources?

Hoelzer, Dave DHoelzer at sans.org
Fri Oct 28 06:12:53 PDT 2016

Not really.  :)  Are the pcaps all contemporaneous or are they sequential?  If they’re sequential you could potentially use the timestamp.

David Hoelzer
Dean of Faculty, STI
Fellow, SANS.org<http://SANS.org>

On Oct 28, 2016, at 8:57 AM, David Vessey <jdvessey at gmail.com<mailto:jdvessey at gmail.com>> wrote:

Hi there,

I've tried to find this in the docs and even tried exploring source code.

This use case is more around after the fact network forensics, when working with PCAP files.

If I have a bunch of pcaps, and I run bro like:

$ bro -r input1.pcap -r input2.pcap -r input3.pcap

Is there some way to associate bro's connection IDs back to contributing pcap(s)?

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161028/acf99326/attachment-0001.html 

More information about the Bro mailing list