[Bro] processing many files with bro
Robin Sommer
robin at icir.org
Wed Mar 10 08:30:56 PST 2010
On Wed, Mar 10, 2010 at 23:46 +0900, Veronica Estrada wrote:
> The other solution. I know that split pcap files can be merged in one bigger
> file, but I will have problems with memory, and bro may crash if it has a
> limitation for processing big size pcap file.
That's probably the best solution and you can do it on the fly: have
your merge tool (e.g., tcpslice) write to stdout and Bro read from
stdin with "-r -". The effect on memory will indeed be that of one
large pcap file but if that causes trouble, you should to tweak the
Bro configuration.
Using &persistent is unlikely to do what you want as it stores only
script-level state, not internal state for connections that cross
file boundaries.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list