Hi there,
I’ve tried to find this in the docs and even tried exploring source code.
This use case is more around after the fact network forensics, when working with PCAP files.
If I have a bunch of pcaps, and I run bro like:
$ bro -r input1.pcap -r input2.pcap -r input3.pcap
Is there some way to associate bro’s connection IDs back to contributing pcap(s)?
Thanks!
Are the pcaps all contemporaneous or are they sequential? If they’re sequential you could potentially use the timestamp.