[Bro-Dev] One question about connection between Broccoli-Python and Bro
Seth Hall
seth at icir.org
Wed Jul 11 08:19:46 PDT 2012
On Jul 11, 2012, at 10:26 AM, Scott Guan-Hua Tu wrote:
> Is there anyone know the restriction to use Broccoli-Python?
> How can I get notification from Bro when it is processing tcpdump file?
Bro's event interface is primarily for realtime analysis which you get from sniffing traffic on an interface. If you are reading a tracefile, "real time" typically proceeds much faster than the wall clock and since Bro's communication protocol was originally intended for multiple Bro instances to communicate with each other things could become pretty badly confused if different Bro processes think the time is different.
Now, I agree with you that it seems like a very reasonable request for broccoli to be allowed to connect even when reading trace files (i've probably requested that feature myself at some point), but I'll leave it up to Robin or someone else to see if that's something that we could reasonably do (allow communication with broccoli even if reading trace files).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list