[Bro] Using Bro in offline mode (pcap spooling)

Jon Siwek jsiwek at corelight.com
Fri Jan 12 08:38:33 PST 2018


On Fri, Jan 12, 2018 at 2:21 AM, Joseph Gresham <joe at onshore.com> wrote:

> Now recently I was reading this list and came across this
> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-September/007458.html
> where seth mentions using the process command in broctl.  I wanted to
> ask if that is still valid in a cluster environment, and if so how is
> the pcap distributed to workers?

The process command only runs the pcap through a single Bro instance,
so probably not what you need.  There's more details on how it works
in the docs [1], for reference.

- Jon

[1] https://www.bro.org/sphinx/components/broctl/README.html#command-reference


More information about the Bro mailing list