[Bro] Information regarding worker thread in the bro architecture
Johanna Amann
johanna at icir.org
Thu Jun 9 10:00:37 PDT 2016
Hello Sachin,
> I am currently studying the bro architecture and bit confused how the
> worker thread implemented in the cluster architecture. My question is:
> does each worker thread perform the same set of activities as of others
> worker threads or each one can have different set of capabilities? If
> so, could you please let me know the set of capabilities a work thread
> can have? In addition, does each worker thread runs an event engine
> separately? Could you please elaborate a bit on the worker thread?
Actually, Bro uses multiprocessing instead of multithreading. Which means
that in a cluster, several Bro processes are started using the same
binary. All workers do exactly the same work, just processing packages
from a different network card queue (or, if running on a different machine
from a different cards).
The manager of the cluster is another Bro process which does not handle
network traffic and is mostly responsible to write log files.
All workers and the manager run completely separate event engines and can
also exchange networks between each other (this has to be specified
explicitly for each event).
Scripts can determine if they run on a manager or a worker node and adjust
their behavior depending on that.
I hope this helps,
Johanna
More information about the Bro
mailing list