dump_packet and dump_current_packet ignores file name

Assaf · May 8, 2018, 9:19am

Hi.

I’m trying to dump each connection to a different file. E.g:

event new_packet(c: connection, p: pkt_hdr) {
dump_current_packet(c$uid + “.pcap”);
}

But bro writes all of the packets to the first “c$uid” and ignores the rest.

Looking at the source code (https://github.com/bro/bro/blob/091d1e163f687105bb6454d61252cbe4edae7d30/src/bro.bif#L3282-L3299), it seems that bro ignores “file_name” if “addl_pkt_dumper” already exists.

Reading the changelog (https://www.bro.org/download/CHANGES.bro.txt), it seems that “rotate_file_by_name” can be used to close “addl_pkt_dumper”, but it throws “can’t move x.pcap to x.pcap.17946.1255209915.175512.tmp: No such file or directory”.

How can I solve this?

johanna · May 8, 2018, 6:28pm

Hi,

just to follow up - your pull request at
https://github.com/bro/bro/pull/132 has just been merged and this should
work now.

Johanna

Assaf · May 8, 2018, 7:09pm

Thanks!

Topic		Replies	Views
Bro traffic logging Zeek	2	45	May 6, 2022
Bro as a fancy pcap filter Zeek	4	59	May 6, 2022
Write in realtime packets captured by Bro Zeek	2	75	May 6, 2022
dump files, loopback Zeek	1	80	May 6, 2022
dump files, loopback Zeek	1	47	May 6, 2022

dump_packet and dump_current_packet ignores file name

Related Topics