[Bro] Surprising behavior when reading packets from file vs interface.
Robin Sommer
robin at icir.org
Fri Sep 24 11:09:20 PDT 2010
On Thu, Sep 23, 2010 at 15:28 -0700, you wrote:
> Running 'bro -r' with a tracefile, however, causes bro to not bind to
> the broccoli port, thus not communicating with the app - verified
> w/netstat.
This is actually intentional (because the timing can't be kept in
sync between the trace and the (real-time) communication), and
pseudo-realtime is indeed the recommended solution.
> However, I'm not sure this behavior is optimal - there are a number of
> bro applications now that may not need to listen to an interface (or
> to a file, for that matter), but are strictly broccoli event driven,
That's right, but when Bro is started without -r, it should actually
work as you'd expect. Communication is only disabled when you give
Bro a trace to read from . Are you seeing something different?
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list