Bro on other Packet Trace Dumps.

Hi, I'm new to bro and what I would like to do is run bro on 38 hours
of packet traces that I've aquired from another website.
Is there any simple way to do this?
I'm a bit confused as how to do this because I don't want to monitor
the traffic of my own website/network but analyse data that I
extracted from another source.

hi

if you have tcpdump files, you can easily do this with the -r flag:

bro -r example.trace brolite

see page 9 and the following in the reference manual.

have fun
christoph

hi dana

Page 9 of the reference manual appears to bea list figures and tables.
I tried to run
> bro -r example.trace brolite
and it should work if I had a tcpdump file. Unfortunately my trace
file are not in tcpdump format.

i'm not sure, but i think that tcpdump is the only format at the moment which
can be read by bro.
what format do you have? maybe there is a converter around...

On page 18 of the Bro user manual, the following command was suggested
for use with a tcpdump file.
> bro -r dumpfile brohost

i meant page 17 of the pdf file which is page number 9 in the reference manual.
(see the number in the right upper corner)

by the way if you have installed bro with the commands "./configure", "make",
"make install" and "make install-brolite" or similar you can start it with the
command

bro -r dumpfile brolite

you have to replace the word "brohost" in the command with the name of the
policy file you want to load.
read more of it in the user and quick start manuals...

cheers
christoph

hi Chris,

i'm not sure, but i think that tcpdump is the only format at the moment which
can be read by bro.
what format do you have? maybe there is a converter around...

The current format of my data is just packet headers in binary. I
tried to convert to tcpdump format myself. can I confirm that tcpdump
format for tcp commections is:
src > dst: flags data-seqno ack window urgent options

i'm only working with tcp packets.
a couple of examples of my packets are as follows
10.0.0.163.1422 > 10.0.0.219.80: . 17193851:17193851(0) ack 1278587442 win 8623
10.0.0.7.1202 > 10.0.0.8.25: P 22414518:22415922(1404) ack 20496183 win 8474
10.0.0.67.4945 > 10.0.0.66.80: S 2222637079:2222637079(0) win 32696 urg 0
10.0.0.11.26159 > 10.0.0.12.25: . 868560419:868561879(1460) ack
1691568355 win 61320

However, when I run this file with bro using

bro -r dumpfile brolite

I receive the error problem with trace file dumpfile - bad dump file format.

Is there something I missed?
Cheers,
Dana

hi dana

tcpdump is also a binary format.
how did you catch your dump?
i mean when you catch it with tcpdump you get exactly what you described:
packet headers in binary.

cheers
christoph

Hi christoph,

are you saying that when this is run:

bro -r dumpfile brolite

dumpfile is a binary file? I thought bro took a tcpdump file and
tcpdump outputs files in the format of :
src > dst: flags data-seqno ack window urgent options

my packets were captured using a DAG2 system. traces are in DAG
format, which is a fixed 64 bytes record format with 40 bytes of IP
header. I extracted from my binary to make it look like a tcpdump
file.

cheers,
Dana

You can probably use Endace's 'dagconvert' utility to convert from the DAG format to pcap format.

pcap format /is/ the tcpdump binary format. You get this if you use the '-w file' option to tcpdump. Otherwise, it just outputs a textual description of the packets.

hi dana

are you saying that when this is run:

bro -r dumpfile brolite

dumpfile is a binary file?

yes it is!

I thought bro took a tcpdump file and
tcpdump outputs files in the format of :
src > dst: flags data-seqno ack window urgent options

no. tcpdump files are in a binary format. but when you make it visible
with the tcpdump command it looks like what you said.

my packets were captured using a DAG2 system. traces are in DAG
format, which is a fixed 64 bytes record format with 40 bytes of IP
header. I extracted from my binary to make it look like a tcpdump
file.

what an exotic format!
please, go to http://dag.cs.waikato.ac.nz/, then enter the download section
and get the dag-tools. install it and use the dagbpf command.
i didn't check this out, i only made the internet searches for you...
what i tell you are basics. maybe you have to read first a bit before come
and ask again.

have fun
christoph

I thought I was recreating the textual output that tcpdump would
create. I don't understand why bro is telling me there is something
wrong with my tcpdump imitation trace file.

What exactly should my packet trace file look like? I'm starting to
get confused as to what bro accepts.

I thought I was recreating the textual output that tcpdump would
create. I don't understand why bro is telling me there is something
wrong with my tcpdump imitation trace file.

This text output is _not_ what bro expects.

What exactly should my packet trace file look like? I'm starting to
get confused as to what bro accepts.

bro accepts only the tcpdump (aka pcap) _binary_ format.

Since you have a DAG format trace, you should just be able to use Endace's 'dagconvert' tool to convert to pcap format.

You'd do something like:

  $ dagconvert -T eth:pcap -i yourfile -o out.pcap
  $ bro ... -r out.pcap

I've assumed above that you've got legacy Ethernet file format. You may have ERF files from your dag capture, in which case you'd use '-T erf:pcap' in the dagconvert command line.

Here's the output from dagconvert -h:

$ dagconvert -h
dagconvert: DAG file conversion utility.
Usage: dagconvert [options]
     -d <device> DAG device name
     -h display help (this page)
     -v increase verbosity
     -i <filename> input file
     -o <filename> output file
     -r N[k|m|g] change output file after N Bytes.
                            k, m, g suffixes for kilobytes, megabytes, gigabytes.
     -s <snaplen> output snap length
     -t <seconds> capture period in seconds
     -T <in_type:out_type> input and output types (see list of types below)
     -A <int> output record alignment (ERF only)
     -V select variable length output (ERF only)
     -F select fixed length output (ERF only)
     -G specify GMT offset in seconds (pcap only)
     -c 0|16|32 specify number of bits in FCS checksum (pcap only)
     -f <list> comma separated list of filters (see list of filters below)
     -b <BPF> specify a BPF style filter

Supported types:
     dag ERF direct from DAG device (input only)
     erf ERF (extensible record format) file
     atm legacy ATM file (input only)
     eth legacy Ethernet file (input only)
     pos legacy PoS file (input only)
     null produces no input or output
     pcap libpcap format file (output only)
     prt ASCII text packet dump (output only)

Supported filters:
     rx filter out rx errors (link layer)
     ds filter out ds errors (framing)
     trunc filter out truncated packets
     a,b,c,d filter on indicated interface(s)

This is slightly off topic from the last bro packet trace dump thread. Right now I see bro rolling over bulk trace files as soon as the file size is 2G. (Even though we have large file system support on the os).

The issue with this is that all the other log files are also rolled over. I think bro just restarts itself.

Is it possible to set up bro to define the size at which bulk trace file should roll over and not have any other log files roll over (even if the bulk trace files roll over at 2G) ?

I tried looking in the source and also putting tcpdump like options in the config file for but that does not seem to work.

Aashish Sharma

Woops. I'll CC it now

Not right now. You can have the bulk trace file rolled over by setting
log_max_size and adding its filename to RotateLogs::aux_files (see
rotate-logs.bro). But then log_max_size affects all log files for which no
explicit size has been defined with &rotate_size.

Robin