Tracking PCAP file sources?

Hi there,

I’ve tried to find this in the docs and even tried exploring source code.

This use case is more around after the fact network forensics, when working with PCAP files.

If I have a bunch of pcaps, and I run bro like:

$ bro -r input1.pcap -r input2.pcap -r input3.pcap

Is there some way to associate bro’s connection IDs back to contributing pcap(s)?

Thanks!

Not really. :slight_smile: Are the pcaps all contemporaneous or are they sequential? If they’re sequential you could potentially use the timestamp.