[Bro-Dev] One question about connection between Broccoli-Python and Bro
Robin Sommer
robin at icir.org
Wed Jul 11 08:39:37 PDT 2012
On Wed, Jul 11, 2012 at 11:19 -0400, you wrote:
> Bro's event interface is primarily for realtime analysis which you get
> from sniffing traffic on an interface. If you are reading a
> tracefile, "real time" typically proceeds much faster than the wall
> clock
There's actually a way to make it work: if you start Bro with the
option '--pseudo-realtime' it will enable the communication system
even when reading a trace. There's a catch though: it will now
"simulate" real-time by delaying processing of the trace according to
the timestamps in there, i.e., if you have a trace covering an
interval T, it will take Bro the same time T to process the trace
offline.
As that's however often inconvinient, there's one more knob: you can
give the option an integer factor (e.g., --pseudo-realtime=10), and it
will then scale up the time accordingly, i.e., process the trace 10
times as fast as real-time (i.e., M/10). By using a suitable large
factor, you may get the effect you're looking for.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list