Newbie at bro, some questions

Just point a free scan engine like Nessus at a site running a web server and run tcpdump locally on that box, or just have bro listen off a tap port that the web server runs through.

I am really not understanding why pcap files are referred to as traces, since its just pcap. Anyway, just run tcpdump on your webserver, point Metasploit or Nessus at it, and then read that traffic into bro elsewhere.