Bro-ids dpd offline analysis

Hey people,

I’m wondering are there any examples showing how to use bro with all the argument options, I found it kinda confusing especially for people who new to bro-ids and not much result when I tried googling. Maybe having all the usage examples in the wiki would be much help.

By the way I’m wondering is there a way to do offline analysis to pcap using dpd. I have checked out brolite.bro where it loads -

@load dpd
@load irc-bot
@load dyn-disable
@load detect-protocols
@load detect-protocols-http
@load proxy

I tried to load all this to mt.bro, and running -

bro -r test.pcap mt

It runs fine if without loading all the dpd related analyzers, however I have gone through all the bro workshop presentation slides and come across the DPD performance test where it is used to run offline analysis against large pcap files(The presentation that done by Robin). I would like to know how the test is conducted and how one can do efficient offline bulk data analysis with new bro-1.2.

Thanks.

I'm wondering are there any examples showing how to use bro with all the
argument options, I found it kinda confusing especially for people who new

Sorry, the shipped documentation is all we have in this regard at
this time. Yeah, having some more examples would certainly by nice.

I tried to load all this to mt.bro, and running -

bro -r test.pcap mt

That's almost correct except for one missing piece: for DPD you need
to set the capture-filter to include packets on non-standard ports,
e.g., "bro -f tcp -r test.pcap mt" to include all TCP packets. (This
is not different from live analysis which requires this too.)

Robin