Reading PCAP's as a stream

[CyberTaoFlow]

Not really an issue just a tip

Just wanted to point you towards a tool I use in a similar setup to work around issues with sessions spanning multiple PCAP files. The issue being that between bro runs no state is carried over from the previously read PCAP.

PCAPDJ from CIRCL ( https://github.com/CIRCL/pcapdj ) addresses this by providing a redis backed queue to hold file processing paths and ordering and simply spools the first PCAP to a fifo. The PCAP header is included in the first file but the footer is removed and both are removed on all other files.

It uses libwiretap and I have had no luck compiling it unless i use libwiretap3 and the associated libwireshark3 and libwtap3.