[Bro] Tracking PCAP file sources?
Hoelzer, Dave
DHoelzer at sans.org
Fri Oct 28 06:12:53 PDT 2016
Not really. :) Are the pcaps all contemporaneous or are they sequential? If they’re sequential you could potentially use the timestamp.
———————————————————————
David Hoelzer
Dean of Faculty, STI
Fellow, SANS.org<http://SANS.org>
On Oct 28, 2016, at 8:57 AM, David Vessey <jdvessey at gmail.com<mailto:jdvessey at gmail.com>> wrote:
Hi there,
I've tried to find this in the docs and even tried exploring source code.
This use case is more around after the fact network forensics, when working with PCAP files.
If I have a bunch of pcaps, and I run bro like:
$ bro -r input1.pcap -r input2.pcap -r input3.pcap
Is there some way to associate bro's connection IDs back to contributing pcap(s)?
Thanks!
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161028/acf99326/attachment-0001.html
More information about the Bro
mailing list