[Bro] Surprising behavior when reading packets from file vs interface.

Jim Mellander jmellander at lbl.gov
Fri Sep 24 11:41:46 PDT 2010

On Fri, Sep 24, 2010 at 11:09 AM, Robin Sommer <robin at icir.org> wrote:
> On Thu, Sep 23, 2010 at 15:28 -0700, you wrote:
>> Running 'bro -r' with a tracefile, however, causes bro to not bind to
>> the broccoli port, thus not communicating with the app - verified
>> w/netstat.
> This is actually intentional (because the timing can't be kept in
> sync between the trace and the (real-time) communication), and
> pseudo-realtime is indeed the recommended solution.

I gathered that from the code, however pseudo-realtime has its own
problems with timing.  I, for instance, want to measure the real
propagation delay and end-to-end processing time between bro and the
broccoli client in a controlled environment by passing a tracefile
thru bro to be processed in part via the broccoli client.

So bro sends current_time() to the broccoli client, which then takes a
timestamp, and can then determine the propagation delay - but
current_time() is altered by the pseudo-realtime value..  If you want
to go thru the tracefile as rapidly as possible, you will set
pseudo-realtime to >1, which messes up current_time(), and thus the
measurements.  Thus, I have a need to:

1. run thru a tracefile as rapidly as possible for testing,
2. keep the notion of current_time() accurate to wall time, and
3. run broccoli

Seems to me a few options can fulfill this:

1. Remove the test I mentioned
2. Have an explicit remote communications flag - probably having
remote communications be the default, and allow disabling via flag if

Anything I'm missing?

>> However, I'm not sure this behavior is optimal - there are a number of
>> bro applications now that may not need to listen to an interface (or
>> to a file, for that matter), but are strictly broccoli event driven,
> That's right, but when Bro is started without -r, it should actually
> work as you'd expect. Communication is only disabled when you give
> Bro a trace to read from . Are you seeing something different?

I've heard apocryphal stories of needing to have an interface open,
but that may be due to to old event-loop requiring packets.  Will ask
around and gather more data.

