bro protocol detection from pcap


I installed Bro 2.0 and tried to use its dpd functionality to detect application level protocols. I attacted two pcap.
Running bro for test-http.pcap results in http detection at the conn.log

# bro -p broctl -p broctl-live -p standalone -p local -p bro -r webdav.pcap
# bro-cut service < conn.log

Then i wrote a script to extract TCP flows and save them as different pcap files. The idea is to keep the packets with the same source ip, source port, destination ip, destination port (on direction) or another direction in the same pcap file.

One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.

# bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap
# bro-cut service < conn.log

webdav.pcap (12.1 KB)

213.pcap (203 KB)