[Bro] Have a cluster infrastructure read pcaps

Seth Hall seth at icir.org
Tue Nov 1 07:35:32 PDT 2016

> On Oct 31, 2016, at 7:34 AM, william de ping <bill.de.ping at gmail.com> wrote:
> I was hoping for some solution that will keep bro process loaded and running and feeding it with pcaps.
> This way I can at least skip the reoccurring loading process.

You are going to have trouble keeping the logs with the original pcap in this case.  You could have sessions that cross the pcaps like this....

PCAP 1 -> TCP session establishment
PCAP 2 -> lots of session data
PCAP 3 -> TCP session teardown - The conn log entry will be written here!

Your logs won't match up as closely as you'd like and could become very confusing.  I would argue that this offline packet loading situation is a situation that you want to avoid at all costs, but if you have to live within that situation, I would argue that you want to keep the Bro processes up and treat the sequential files as a stream and don't try to tie logs to a particular file.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list