[Bro] dump_packet and dump_current_packet ignores file name
Johanna Amann
johanna at icir.org
Tue May 8 11:28:53 PDT 2018
Hi,
just to follow up - your pull request at
https://github.com/bro/bro/pull/132 has just been merged and this should
work now.
Johanna
On Tue, May 08, 2018 at 09:19:05AM +0000, Assaf wrote:
> Hi.
>
> I'm trying to dump each connection to a different file. E.g:
>
> event new_packet(c: connection, p: pkt_hdr) {
> dump_current_packet(c$uid + ".pcap");
> }
>
> But bro writes all of the packets to the first "c$uid" and ignores the rest.
>
> Looking at the source code (
> https://github.com/bro/bro/blob/091d1e163f687105bb6454d61252cbe4edae7d30/src/bro.bif#L3282-L3299),
> it seems that bro ignores "file_name" if "addl_pkt_dumper" already exists.
>
> Reading the changelog (https://www.bro.org/download/CHANGES.bro.txt), it
> seems that "rotate_file_by_name" can be used to close "addl_pkt_dumper",
> but it throws "can't move x.pcap to x.pcap.17946.1255209915.175512.tmp: No
> such file or directory".
>
> How can I solve this?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list