[Bro] Using Bro in offline mode (pcap spooling)
jsiwek at corelight.com
Fri Jan 12 08:38:33 PST 2018
On Fri, Jan 12, 2018 at 2:21 AM, Joseph Gresham <joe at onshore.com> wrote:
> Now recently I was reading this list and came across this
> where seth mentions using the process command in broctl. I wanted to
> ask if that is still valid in a cluster environment, and if so how is
> the pcap distributed to workers?
The process command only runs the pcap through a single Bro instance,
so probably not what you need. There's more details on how it works
in the docs , for reference.
More information about the Bro