Store PCAP logs

user8 · August 3, 2015, 1:14pm

Hello,

I’ve installed Bro IDS on my computer, and I want to know is it possible to make Bro generate pcap logs? Because I want to use Wireshark to analyze Bro logs.
Another question, does anyone tried Splunk to analyze Bro logs? Can anyone give me some advice?

Any help would be great. Thank You.

Slagell_Adam_J · August 3, 2015, 1:30pm

Bro can analyze pcaps, but it doesn't generate them.

Wire shark isn't really a log analyzer, but a raw traffic analyzer/GUI.

There are Bro plugins for Splunk. It works well.

Daniel_Thayer · August 3, 2015, 5:06pm

Bro can generate pcap files with the "-w" command-line option.
Example:
bro -i eth0 -w output.pcap

Slagell_Adam_J · August 3, 2015, 5:18pm

Keep in mind that you aren't analyzing Bro logs in this way, though. If all you want are pcaps, tcpdump should suffice. If you want both, this is a good solution.

Topic		Replies	Views
Monitoring a directory and running bro on the PCAPs Zeek	8	197	May 6, 2022
can't get the http analyzer to print anything Zeek	3	84	May 6, 2022
Capturing the raw trace... Zeek	7	117	May 6, 2022
Write in realtime packets captured by Bro Zeek	2	101	May 6, 2022
Bro traffic logging Zeek	2	66	May 6, 2022

Store PCAP logs

Related topics