[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?

Azoff, Justin S jazoff at illinois.edu
Mon Oct 9 15:33:20 PDT 2017

> On Oct 9, 2017, at 6:10 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
> Hello all,
> I am recently using pybroker to feed some event data to my python program. I use the auto_event to do that and read traffic from a pcap file. However, it takes some time for the broker to establish the connection with my python program but the processing of the traffic starts immediately. As a result, the first part of the traffic is always missing in my python program. The following is how I set up the connection and the utilize the auto_event. I am wondering if there is a way to intentionally delay Bro's processing of the pcap file so that the connection can be established before Bro start to process the traffic.
> event bro_init() &priority=5
> {
>    Broker::enable();
>    Broker::connect("", broker_port, 1sec);
>    Broker::auto_event("bro/event/packet_get", FlowLevel::packet_get);
>    Broker::auto_event("bro/event/data_get", DataLevel::data_get);
> }
> Any help is appreciated. Thanks a lot.
> Best,
> Wenyu

You can try something like this, not sure if it will work though

event resume()

event bro_init() &priority=5
    # your existing stuff
    schedule 10secs { resume() };

You may want to look at the suggestion I wrote up here:


Having a 'pcapdir' pktsource plugin would solve a lot of problems like this.

Justin Azoff

More information about the Bro mailing list