Hi all,
Bro can extract flow informations from a dumpfile (I use it with mt option).
I would split the entire dump in parts, one for each flow included in the dump.
Is it possible with the sole bro?
TnX,
Manuel.
Manuel, the demux.bro policy can write the application-layer *contents*
of individual flows to separate output files:
http://www.bro-ids.org/Bro-reference-manual/demux-Analysis-Script.html
If you want to demux the flows' individual *packets*, then check out
Netdude's command-line demux plugin. It can demux input traces on per-
flow, per-{src,dst}-port, and per-{src,dest}-port+host granularity:
http://sourceforge.net/project/showfiles.php?group_id=22071&package_id=108810&release_id=232168
Cheers,
Christian.