[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?
Azoff, Justin S
jazoff at illinois.edu
Mon Oct 9 15:33:20 PDT 2017
> On Oct 9, 2017, at 6:10 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
>
> Hello all,
>
> I am recently using pybroker to feed some event data to my python program. I use the auto_event to do that and read traffic from a pcap file. However, it takes some time for the broker to establish the connection with my python program but the processing of the traffic starts immediately. As a result, the first part of the traffic is always missing in my python program. The following is how I set up the connection and the utilize the auto_event. I am wondering if there is a way to intentionally delay Bro's processing of the pcap file so that the connection can be established before Bro start to process the traffic.
>
> event bro_init() &priority=5
> {
> Broker::enable();
> Broker::connect("127.0.0.1", broker_port, 1sec);
> Broker::auto_event("bro/event/packet_get", FlowLevel::packet_get);
> Broker::auto_event("bro/event/data_get", DataLevel::data_get);
> }
>
> Any help is appreciated. Thanks a lot.
>
> Best,
> Wenyu
>
You can try something like this, not sure if it will work though
event resume()
{
continue_processing();
}
event bro_init() &priority=5
{
# your existing stuff
suspend_processing();
schedule 10secs { resume() };
}
You may want to look at the suggestion I wrote up here:
http://mailman.icsi.berkeley.edu/pipermail/bro/2017-July/012355.html
Having a 'pcapdir' pktsource plugin would solve a lot of problems like this.
—
Justin Azoff
More information about the Bro
mailing list