[Bro] Have a cluster infrastructure read pcaps
erik clark
philosnef at gmail.com
Sun Oct 30 12:26:35 PDT 2016
Run mergecap against your files and run bro against the one pcap file that
way, Call it done.
>
> Hi all,
>
> I have an issue with processing multiple pcap files in bro.
> Due to the fact that loading all of bro's scripts and infrastructure is a
> time consuming task,
> processing each pcap file takes longer than it should.
>
> Is there any way that a bro cluster could be up and running and have it's
> workers process the pcap files ?
>
> btw, it needs to be a pcap file and not live capture using tcpreplay for
> transmitting them because of time issues (some sessions might be very long
> and bro will process the pcap file faster than retransmitting the same pcap
> file).
>
> If anyone can think of a better way to accomplish it, I am free for offers
> :)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161030/2b628d89/attachment.html
More information about the Bro
mailing list