[Bro] Have a cluster infrastructure read pcaps

erik clark philosnef at gmail.com
Mon Oct 31 03:37:48 PDT 2016 

If you cant run mergecap, you are going to have to do it as I posted
elsewhere on the mailing list (few days ago?) to walk the tree (simple
shell script). You will not be able to have Bro parse a bunch of pcaps
continuously. You will have to call it once for every pcap you have, and
deal with it that way.

Aside from which, if you need to keep the bro logs separate for each pcap,
even if you could process a bunch of these at once, bro is going to
comingle your logs, which you don't seem to want.

On Mon, Oct 31, 2016 at 4:25 AM, william de ping <bill.de.ping at gmail.com>
wrote:

> Hi Erik,
>
> I cannot use the megecap and merge my pcaps because I need to keep them
> separated.
> The reason for that is that I want to keep track and eventually store the
> pcap file with its relevant log files produced from bro.
> Therefore I want to keep the pcap file name.
>
> Any ideas ?
>
> Thanks
>
>
>
> On Sun, Oct 30, 2016 at 9:26 PM, erik clark <philosnef at gmail.com> wrote:
>
>> Run mergecap against your files and run bro against the one pcap file
>> that way, Call it done.
>>
>>
>>>
>>> Hi all,
>>>
>>> I have an issue with processing multiple pcap files in bro.
>>> Due to the fact that loading all of bro's scripts and infrastructure is a
>>> time consuming task,
>>> processing each pcap file takes longer than it should.
>>>
>>> Is there any way that a bro cluster could be up and running and have it's
>>> workers process the pcap files ?
>>>
>>> btw, it needs to be a pcap file and not live capture using tcpreplay for
>>> transmitting them because of time issues (some sessions might be very
>>> long
>>> and bro will process the pcap file faster than retransmitting the same
>>> pcap
>>> file).
>>>
>>> If anyone can think of a better way to accomplish it, I am free for
>>> offers
>>> :)
>>>
>>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161031/81e3adad/attachment.html

More information about the Bro mailing list