contents.bro performs session reconstruction of IPv4 traffic, but when
running Bro 1.5 contents.bro against an IPv6 packet trace, it creates
0-length files, but doesn't extract the session contents to those
files. Is this in the works?
Thanks in advance
That will be part of the work for 2.1. I'll file a ticket for that to make sure we look into it.
As a workaround, the latest version of tcpflow 1.0.2 (
http://freecode.com/projects/tcpflow ) performs IPv6 session
reassembly into files. I had to hack it a bit to get it to work on
freebsd, but will be submitting the patches upstream.