Run mergecap against your files and run bro against the one pcap file that
way, Call it done.
Hi Erik,
I cannot use the megecap and merge my pcaps because I need to keep them separated.
The reason for that is that I want to keep track and eventually store the pcap file with its relevant log files produced from bro.
Therefore I want to keep the pcap file name.
Any ideas ?
Thanks
If you cant run mergecap, you are going to have to do it as I posted elsewhere on the mailing list (few days ago?) to walk the tree (simple shell script). You will not be able to have Bro parse a bunch of pcaps continuously. You will have to call it once for every pcap you have, and deal with it that way.
Aside from which, if you need to keep the bro logs separate for each pcap, even if you could process a bunch of these at once, bro is going to comingle your logs, which you don’t seem to want.
Hi Erik,
I was hoping for some solution that will keep bro process loaded and running and feeding it with pcaps.
This way I can at least skip the reoccurring loading process.
You are going to have trouble keeping the logs with the original pcap in this case. You could have sessions that cross the pcaps like this....
PCAP 1 -> TCP session establishment
PCAP 2 -> lots of session data
PCAP 3 -> TCP session teardown - The conn log entry will be written here!
Your logs won't match up as closely as you'd like and could become very confusing. I would argue that this offline packet loading situation is a situation that you want to avoid at all costs, but if you have to live within that situation, I would argue that you want to keep the Bro processes up and treat the sequential files as a stream and don't try to tie logs to a particular file.
.Seth