To run on recorded traffic, you use the -r
flag to indicate
the trace file Bro should read. As with -i
, you can use the
flag multiple times to read from multiple files; Bro will merge the packets
from the files into a single packet stream based on their timestamps.
The Bro distribution includes an example trace that you can try out, example.ftp-attack.trace. If you invoke Bro using:
setenv BRO_ID example bro -r example.ftp-attack.trace mt
you'll see that it generates a connection summary to stdout,
a summary of the FTP sessions to ftp.example, a copy of what
would have been real-time alerts had Bro been running on live traffic
to log.example
, and a summary of unusual traffic anomalies (none in
this trace) to weird.example
.