[Bro] dump_packet and dump_current_packet ignores file name
Assaf
assaf.morami at gmail.com
Tue May 8 02:19:05 PDT 2018
Hi.
I'm trying to dump each connection to a different file. E.g:
event new_packet(c: connection, p: pkt_hdr) {
dump_current_packet(c$uid + ".pcap");
}
But bro writes all of the packets to the first "c$uid" and ignores the rest.
Looking at the source code (
https://github.com/bro/bro/blob/091d1e163f687105bb6454d61252cbe4edae7d30/src/bro.bif#L3282-L3299),
it seems that bro ignores "file_name" if "addl_pkt_dumper" already exists.
Reading the changelog (https://www.bro.org/download/CHANGES.bro.txt), it
seems that "rotate_file_by_name" can be used to close "addl_pkt_dumper",
but it throws "can't move x.pcap to x.pcap.17946.1255209915.175512.tmp: No
such file or directory".
How can I solve this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180508/10746647/attachment.html
More information about the Bro
mailing list