PCAP help

Charles_Mckee · April 19, 2018, 2:18pm

Hello Bro Team,

I need some help with PCAP.

We noticed when using Bro we see local host traffic.

We want to segment Bro’s traffic from the other traffic on a continual basis.

We cannot find any information on the net how to do this, so now I must reach out to you.

All traffic inbound comes into Bro and at that point we need to all of its own traffic segmented away somewhere.

Can you help me ?

Can you please send explicit directions for this.

Respectfully Yours

Charles McKee

DecisivEdge**, LLC**

O: 302.299.1570 x432 | C: 302.320.6968 | F: 302.299.1578

131 Continental Dr | Suite 409 | Newark, DE 19713

charles.mckee@decisivedge.com | www.DecisivEdge.com

Michael_Shirk · April 19, 2018, 3:01pm

So what interface is Bro monitoring? and have you configured your
networks.cfg? Need some more details on what traffic you are having
issues splitting out.

Michael_Shirk · April 19, 2018, 3:57pm

It is advised to not monitor the same network you use to connect to
the Bro sensor, but you can ignore all of the traffic involving the
Bro sensor with bpf filter by adding the following to your local.bro:

redef cmd_line_bpf_filter = "not (host BROIPADDRESS)";

Topic		Replies	Views
PCAP help. Zeek	1	84	May 6, 2022
Bro Not Extracting Host Fields from HTTP Traffic Zeek	4	91	May 6, 2022
#336: Global config variable to disable packet filtering (i.e., accept all packets) Development development	1	79	May 6, 2022
Bro Digest, Vol 109, Issue 14 Zeek	2	116	May 6, 2022
(no subject) Zeek	2	97	May 6, 2022

PCAP help

Related topics