does bro provide some mechanism to find the packets that are related to (have caused) a given event or connection?
Background: I'd like to be able to export pcap files in some situations for specific events; in that context I'm still able to get to the connection object, but I'd like to be able to see the original data as well for further analysis with Wireshark.
One possibility would be to reconstruct filters from the event to filter the original trace retrospectively. But I'm wondering if there is a more direct way to identify / extract the relevant packets.
Thanks for your help,
Bro doesn't really have a good way to export packet captures.
You would be best off running something like time machine or stenographer (both open source packet capture projects) and then using Bro to export the small pcap related to the connection you want. If you'd like some pointers on how to do that, let me know. I've got some similar stuff going on in my environment.
We use dumpcap from wireshark from source for packet capture...example below:
/usr/local/bin/dumpcap -q -b filesize:409600 -b files:50 -Z none -f 'ip and port 25' -i eth2 -w /home/pcaps/mailcapture/mailtraffic.pcap
which creates 50 400 meg files and will start to overwrite after 50...works well when run on the same box as bro-ids...very easy to correlate and pluck out what I want.
There is way to extract the application layer.
Here's what we do in Security Onion :
- Bro logs go into ELSA 
- for most Bro logs, you can use ELSA's getPcap plugin to pivot to CapMe 
- CapMe will then search the full packet capture store provided by
netsniff-ng  and provide you with an ASCII rendering of the stream
or the raw pcap itself
For more information and a screenshot of this in action, please see .
Hope that helps!
 - http://securityonion.net
 - https://github.com/mcholste/elsa
 - https://github.com/int13h/capme
 - http://netsniff-ng.org/
 - http://taosecurity.blogspot.com/2013/01/security-onion-elsa-or-snorby-capme.html