[Bro] Have a cluster infrastructure read pcaps
william de ping
bill.de.ping at gmail.com
Mon Oct 31 01:25:30 PDT 2016
Hi Erik,
I cannot use the megecap and merge my pcaps because I need to keep them
separated.
The reason for that is that I want to keep track and eventually store the
pcap file with its relevant log files produced from bro.
Therefore I want to keep the pcap file name.
Any ideas ?
Thanks
On Sun, Oct 30, 2016 at 9:26 PM, erik clark <philosnef at gmail.com> wrote:
> Run mergecap against your files and run bro against the one pcap file that
> way, Call it done.
>
>
>>
>> Hi all,
>>
>> I have an issue with processing multiple pcap files in bro.
>> Due to the fact that loading all of bro's scripts and infrastructure is a
>> time consuming task,
>> processing each pcap file takes longer than it should.
>>
>> Is there any way that a bro cluster could be up and running and have it's
>> workers process the pcap files ?
>>
>> btw, it needs to be a pcap file and not live capture using tcpreplay for
>> transmitting them because of time issues (some sessions might be very long
>> and bro will process the pcap file faster than retransmitting the same
>> pcap
>> file).
>>
>> If anyone can think of a better way to accomplish it, I am free for offers
>> :)
>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161031/bd91ae98/attachment.html
More information about the Bro
mailing list