[Zeek] Bro -r using multiple PCAP
Justin Azoff
justin at corelight.com
Mon Apr 29 15:15:05 PDT 2019
You can specify -r multiple times. Something like
import subprocess
import glob
cmd = ["bro"]
for f in glob.glob("*.pcap"):
cmd.extend(["-r", f])
subprocess.call(cmd)
will work to a point. Eventually you will hit ARG_MAX with enough
files. but for a few dozen this works fine. For more, something like
https://github.com/assafmo/joincap could be better.
I outlined a good way to do this as an input plugin a while back as
well: http://mailman.icsi.berkeley.edu/pipermail/zeek/2017-July/012355.html
On Mon, Apr 29, 2019 at 5:06 PM David Decker <x.faith at gmail.com> wrote:
>
> Looking to see if anyone has created a script, or if this is an argument to process multiple PCAPS using the bro -r argument.
>
> I have it setup to output to JSON currently and change from EPOCH time to normal date/time output, but that is one at a time, and will have multiple.
>
> Looking at either a batch script of maybe python but wanted to see if anyone has done this bfore.
> (Reingest multiple old PCAP files) to get re-ingested.
>
> Dave
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
More information about the Zeek
mailing list