[Bro] Worker configuration in Bro cluster

Seth Hall seth at icir.org
Tue Nov 11 08:02:20 PST 2014


> On Nov 11, 2014, at 3:26 AM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
> 
>       We intend to deploy a Bro cluster, in which the workers will get packets
> from another program via pipe, instead of capturing packets directly from a
> network interface. In case of a standalone deployment, we know it is trivial
> to achieve by the command such as "prog | bro -r -", where prog outputs
> packets to stdout. However, what should we configure the workers (or the
> manager) if the workers are to be launched from the manager through broctl?
> Thanks a lot.

Hm, that is a new challenge.  BroControl really isn't meant for that kind of behavior.  It's possible you could dig into it and make changes that would make it work.  What I would possibly look into instead is testing our upcoming packet-bricks[1] tool.  It uses netmap to pass packets around very efficiently and there is a new netmap feature called "pipes" (works on Linux and it's including in the upcoming FreeBSD 10.1) that it uses to pass packets to userland applications as sort of virtual interfaces.  I would recommend going this route because you should get significantly better performance passing packets through packet-bricks than if you are actually passing packets through pipes.

Here is a link to packet-bricks:
	https://github.com/bro/packet-bricks

Let me know if you need help figuring out anything about it and I can either help you or point you in the right direction.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list