The Bro distribution includes a couple scripts to make bulk capture easier. These are:
spot-trace
: called by start-capture-all
script
start-capture-all
: captures all packets. This script looks
for an existing instance of the spot-trace
program, and if it finds one
creates a new capture file name with an incremented filename,
and continues capturing data. Bulk
capture files can get very large, so typically you run this as
a cron job every 1-2 hours.
bro_bulk_compress.sh
: compress and/or delete old bulk trace files. Run as a cron job.
Since the bulk trace files can be huge, you often will want to run tcpdump on the raw trace with a filter to extract the packets of interest. For example:
tcpdump -r bulkXXX.trace -w goodstuff.trace 'host w.x.y.z'
If you know that that packets you want are bounded by a time interval, say it occurred 1:17PM-1:18PM, then you can speed this up a great deal using tcpslice. For example:
tcpslice 13h15m +5m bulkXXX.trace | tcpdump -r - -w goodstuff.trace ...
It is recommend to use a somewhat broader time interval for tcpslice (such as in the above example) than when Bro reported the activity occurred, so you can catch additional related packets cheaply.