[Bro] dump_packet and dump_current_packet ignores file name
Assaf
assaf.morami at gmail.com
Tue May 8 12:09:03 PDT 2018
Thanks!
On Tue, May 8, 2018 at 9:28 PM Johanna Amann <johanna at icir.org> wrote:
> Hi,
>
> just to follow up - your pull request at
> https://github.com/bro/bro/pull/132 has just been merged and this should
> work now.
>
> Johanna
>
> On Tue, May 08, 2018 at 09:19:05AM +0000, Assaf wrote:
> > Hi.
> >
> > I'm trying to dump each connection to a different file. E.g:
> >
> > event new_packet(c: connection, p: pkt_hdr) {
> > dump_current_packet(c$uid + ".pcap");
> > }
> >
> > But bro writes all of the packets to the first "c$uid" and ignores the
> rest.
> >
> > Looking at the source code (
> >
> https://github.com/bro/bro/blob/091d1e163f687105bb6454d61252cbe4edae7d30/src/bro.bif#L3282-L3299
> ),
> > it seems that bro ignores "file_name" if "addl_pkt_dumper" already
> exists.
> >
> > Reading the changelog (https://www.bro.org/download/CHANGES.bro.txt), it
> > seems that "rotate_file_by_name" can be used to close "addl_pkt_dumper",
> > but it throws "can't move x.pcap to x.pcap.17946.1255209915.175512.tmp:
> No
> > such file or directory".
> >
> > How can I solve this?
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180508/a0ffe9bf/attachment.html
More information about the Bro
mailing list