bro man page

bro — passive network traffic analyzer


bro [options] [file ...]


Bro is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Bro comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others.



policy file, or read stdin


exit immediately after parsing scripts


don't load scripts from the base/ directory


activate policy file debugging

-e--exec <bro code>

augment loaded policies by given code

-f--filter <filter>

tcpdump filter


dump current config into .state dir


command line help

-i--iface <interface>

read from given interface

-p--prefix <prefix>

add given prefix to policy file resolution

-r--readfile <readfile>

read from given tcpdump file

-s--rulefile <rulefile>

read rules from given file

-t--tracefile <tracefile>

activate execution tracing

-w--writefile <writefile>

write to given tcpdump file


print version and exit

-x--print-state <file.bst>

print contents of state file


ignore checksums


force DNS

-I--print-id <ID name>

print out given ID


print available plugins and exit (-NN for verbose)


prime DNS


print execution time summary to stderr

-R--replay <events.bst>

replay events


enable rule debugging

-T--re-level <level>

set 'RE_level' for rules

-U--status-file <file>

Record process status in file


activate watchdog timer

-X--broxygen <cfgfile>

generate documentation based on config file


enable pseudo-realtime for performance evaluation (default 1)

--load-seeds <file>

load seeds from given file

--save-seeds <file>

save seeds to given file

The following option is available only when Bro is built with the --enable-debug configure option:
-B--debug <dbgstreams>

Enable debugging output for selected streams ('-B help' for help)

The following options are available only when Bro is built with gperftools support (use the --enable-perftools and --enable-perftools-debug configure options):

show leaks


record heap



file search path


plugin search path


plugins to always activate


prefix list


disable DNS lookups


file to load seeds from


ASCII log file extension


Output file for script execution statistics


Disable Broxygen documentation support


bro was written by The Bro Project <>.


November 2014 bro System Administration Utilities