[Bro] Using Bro in offline mode (pcap spooling)
Jon Siwek
jsiwek at corelight.com
Fri Jan 12 08:38:33 PST 2018
On Fri, Jan 12, 2018 at 2:21 AM, Joseph Gresham <joe at onshore.com> wrote:
> Now recently I was reading this list and came across this
> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-September/007458.html
> where seth mentions using the process command in broctl. I wanted to
> ask if that is still valid in a cluster environment, and if so how is
> the pcap distributed to workers?
The process command only runs the pcap through a single Bro instance,
so probably not what you need. There's more details on how it works
in the docs [1], for reference.
- Jon
[1] https://www.bro.org/sphinx/components/broctl/README.html#command-reference
More information about the Bro
mailing list