[Bro] Multi-Thread bro with pcap file?

Luuk Hendriks luuk.hendriks at utwente.nl
Wed Apr 15 12:09:37 PDT 2015


Depending on your analysis, splitting the pcap with editcap (or splitting it at capture time already) and using GNU Parallel [0] can be a way of using multiple cores. I've successfully used this like so:

parallel --gnu --bar 'bro -r {} my-script.bro' ::: pcaps/capture.pcap*


The pcaps directory contains multiple pcap files (note the asterisk), and the output is written to stdout. You might want to capture the output to separate files and analyse those afterwards, again depending on what you want to do.


[0] http://www.gnu.org/software/parallel/

Hope this helps, 
 luuk


On Wed 15 Apr 2015, 11:05, Joe Blow wrote:
> Hey everyone,
> 
> I was wondering if anyone knows if it is possible to multi-thread BRO when
> you are reading the input from a file like this:
> 
> /bro/bin/bro -r "$1" /bro/share/bro/site/local.bro "Site::local_nets = {
> 10.0.0.0/8, 192.168.0.0/16, 216.46.96.0/19, 172.16.0.0/12 }"
> 
> Can this only be done with one thread?
> 
> Cheers,
> 
> JB

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list