bro protocol detection from pcap

Hi,

I installed Bro 2.0 and tried to use its dpd functionality to detect application level protocols. I uploaded two pcap files for testing: http://www.loopbacking.info/dosya/

Running bro for test-http.pcap results in http detection at the conn.log

# bro -p broctl -p broctl-live -p standalone -p local -p bro -r webdav.pcap
# bro-cut service < conn.log
conn.log
http

Then i wrote a script to extract TCP flows and save them as different pcap files. The idea is to keep the packets with the same source ip, source port, destination ip, destination port (on direction) or another direction in the same pcap file.

One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.

# bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap
# bro-cut service < conn.log

One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.

Your tracefile has bad checksums. Either fix the checksums or use the -C command line flag to ignore checksums.

# bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap

You can leave out most of this command line. This should work fine:

bro -r 213.pcap

BroControl runs with all of those extra args to add various functionality that you don't need to worry about when you're just looking to analyze a tracefile.

  .Seth

Hi,

Your tracefile has bad checksums. Either fix the checksums or use the -C command line flag to ignore checksums.

> # bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap

-C is what i was looking for. Thank you.

You can leave out most of this command line. This should work fine:

bro -r 213.pcap

BroControl runs with all of those extra args to add various functionality that you don't need to worry about when you're just looking to analyze a tracefile.

-r pcap_file worked fine.