Doh! RTFM! I actually spent some time *reading* the tcpdump man page
) and discovered that the '-G 3600' option will rotate
the -w log files every hour. Humm, my Linux tcpdump 3.8 doesn't seem
to have a -G option. Looks like I need tcpdump 3.9?
I will run tcpdump on a different system from BRO. I happen to have
two systems connected to the border traffic fire-hose. I will be
able to wait for BRO to trigger on a bogus outbound port scan and
then go look for the raw dump file. So far, BRO hasn't triggered on
any bogus outbound port scans since I sent my original mail. Humm,
this must be a Heisenbug.
On Oct 10, 2007, at 12:12, Robin Sommer wrote:
On Wed, Oct 10, 2007 at 10:53 -0500, Randolph Reitz wrote:
exists? Does BRO have some secret way of
preserving the libpcap
output (er, the BRO input)?
Nice picture. :) But try the -w option first; it records all of
Bro's input into a trace file.
Well, we need to manage the trace file. When
BRO is checkpointed
daily, will a new trace file be created?
Robin Sommer * Phone +1 (510) 931-5555 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Bro mailing list