About Bro and splitting of the tcpdump trace

Hi,

I want to find a tool to split the captured trace (using tcpdump tool) into two parts: the normal sub-trace and the abnormal one which compising of network attacks detected, can the Bro do ? If not, any suggestion is perferred.

Thanks a lot!

Yours,
He

I want to find a tool to split the captured trace (using tcpdump tool) into two parts: the normal sub-trace and the abnormal one which compising of network attacks detected, can the Bro do ? If not, any suggestion is perferred.

I can answer part of the question. Suppose you want to split a trace into two sets of connections, A and B. If you can write a Bro policy script to determine for each connection whether it belongs to A or B, you can instruct Bro to write packets to an output trace on connection-by-connection basis. The function to call is:

# Dump original packets on the connection up to this point to the
# output trace, if any.
function dump_packets_of_connection%(c: connection%): any

Ruoming