bro man page

bro — passive network traffic analyzer


bro [options] [file ...]


Bro is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Bro comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others.


policy file, or read stdin
exit immediately after parsing scripts
don't load scripts from the base/ directory
activate policy file debugging
-e--exec <bro code>
augment loaded policies by given code
-f--filter <filter>
tcpdump filter
dump current config into .state dir
command line help
-i--iface <interface>
read from given interface
-p--prefix <prefix>
add given prefix to policy file resolution
-r--readfile <readfile>
read from given tcpdump file
-s--rulefile <rulefile>
read rules from given file
-t--tracefile <tracefile>
activate execution tracing
-w--writefile <writefile>
write to given tcpdump file
print version and exit
-x--print-state <file.bst>
print contents of state file
-z--analyze <analysis>
run the specified policy file analysis
ignore checksums
force DNS
-I--print-id <ID name>
print out given ID
-J--set-seed <seed>
set the random number seed
-K--md5-hashkey <hashkey>
set key for MD5-keyed hashing
print available plugins and exit (-NN for verbose)
prime DNS
print execution time summary to stderr
-R--replay <events.bst>
replay events
enable rule debugging
-T--re-level <level>
set 'RE_level' for rules
-U--status-file <file>
Record process status in file
activate watchdog timer
-X--broxygen <cfgfile>
generate documentation based on config file
enable pseudo-realtime for performance evaluation (default 1)
--load-seeds <file>
load seeds from given file
--save-seeds <file>
save seeds to given file
The following option is available only when Bro is built with the --enable-debug configure option:
-B--debug <dbgstreams>
Enable debugging output for selected streams ('-B help' for help)
The following options are available only when Bro is built with gperftools support (use the --enable-perftools and --enable-perftools-debug configure options):
show leaks
record heap


file search path
plugin search path
plugins to always activate
prefix list
disable DNS lookups
file to load seeds from
ASCII log file extension
Output file for script execution statistics
Disable Broxygen documentation support


bro was written by The Bro Project <info@bro.org>.


bro November 2014