PCAP help.

Hi Charles,

Just out of curiosity, how are you getting traffic to your Bro sensors? N/w tap, Port mirror?
Also, did you look at the networks.cfg config file to define your local nets and private IP ranges?
Depending on how you are feeding traffic to bro, you could potentially filter the traffic you don’t want Bro sensors to process, by using CIDR filters on port mirroring software or packet filters with BRO bpf on NICs.

It’s little unclear (to me), what traffic Bro is seeing on your network and what you want to do with it.