[Bro] Have a cluster infrastructure read pcaps
philosnef at gmail.com
Sun Oct 30 12:26:35 PDT 2016
Run mergecap against your files and run bro against the one pcap file that
way, Call it done.
> Hi all,
> I have an issue with processing multiple pcap files in bro.
> Due to the fact that loading all of bro's scripts and infrastructure is a
> time consuming task,
> processing each pcap file takes longer than it should.
> Is there any way that a bro cluster could be up and running and have it's
> workers process the pcap files ?
> btw, it needs to be a pcap file and not live capture using tcpreplay for
> transmitting them because of time issues (some sessions might be very long
> and bro will process the pcap file faster than retransmitting the same pcap
> If anyone can think of a better way to accomplish it, I am free for offers
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro