I am trying to use bro to read tcpdump files for the purposes of
characterizing network traffic (not just that which is directed to the
host). It has a more consistent output format than tcpdump, I'm going to
want to do some filtering at some point, and it might be easier than trying
to write my own routines from libpcap (maybe). The documentation is robust,
which is a 'good news'/'bad news' situation. Is there a simple explanation
for how to make bro report _everything_?
What exactly do you mean by "everything"? As you compare Bro to
tcpdump it sounds like you would like to see every packet. That does
not really fit into Bro's connection-oriented model. Do you know
ipsumdump[1]? Perhaps that could be more appropiate here?
What exactly do you mean by "everything"? As you compare Bro to
tcpdump it sounds like you would like to see every packet. That does
not really fit into Bro's connection-oriented model. Do you know
ipsumdump[1]? Perhaps that could be more appropiate here?