Given an input PCAP and a location in a Bro script, this script will filter the PCAP into a new file, which contains only the connections that visited that script location. This script can help filter a large PCAP to narrow down problematic connections, such as protocol violations, weirds, etc.
> tshark -r ~/pcaps/dns_multicast_bug.pcap| wc -l
499
> ./breakpoint_to_pcap.sh -r ~/pcaps/dns_multicast_bug.pcap -o test_output.pcap -b /Users/vladg/src/bro/scripts/base/protocols/dns/./main.bro:414 --
Policy file debugging ON.
In bro_init() at /Users/vladg/src/bro/scripts/base/frameworks/sumstats/./main.bro:276
276 hook register_observe_plugins();
Setting breakpoint on /Users/vladg/src/bro/scripts/base/protocols/dns/./main.bro:414:
Breakpoint 1 set at /Users/vladg/src/bro/scripts/base/protocols/dns/./main.bro:414
Breakpoint set at:
410
411 for ( i in strs )
412 {
413 if ( i > 0 )
414 txt_strings += " ";
415
416 txt_strings += fmt("TXT %d %s", |strs[i]|, strs[i]);
417 }
418
419 hook DNS::do_reply(c, msg, ans, txt_strings);
Continuing.
(Bro [0]) (Bro [1]) (Bro [2]) (Bro [3]) (Bro [4])
> tshark -r test_output.pcap | wc -l
> 86