[Bro] Have a cluster infrastructure read pcaps
william de ping
bill.de.ping at gmail.com
Mon Oct 31 01:25:30 PDT 2016
I cannot use the megecap and merge my pcaps because I need to keep them
The reason for that is that I want to keep track and eventually store the
pcap file with its relevant log files produced from bro.
Therefore I want to keep the pcap file name.
Any ideas ?
On Sun, Oct 30, 2016 at 9:26 PM, erik clark <philosnef at gmail.com> wrote:
> Run mergecap against your files and run bro against the one pcap file that
> way, Call it done.
>> Hi all,
>> I have an issue with processing multiple pcap files in bro.
>> Due to the fact that loading all of bro's scripts and infrastructure is a
>> time consuming task,
>> processing each pcap file takes longer than it should.
>> Is there any way that a bro cluster could be up and running and have it's
>> workers process the pcap files ?
>> btw, it needs to be a pcap file and not live capture using tcpreplay for
>> transmitting them because of time issues (some sessions might be very long
>> and bro will process the pcap file faster than retransmitting the same
>> If anyone can think of a better way to accomplish it, I am free for offers
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro