[Bro] Monitor progress and ETA while running bro

Assaf assaf.morami at gmail.com
Mon Oct 8 08:15:10 PDT 2018


Hi, I just wanted to share how I monitor progress and ETA while running bro
from a pcap file.

If I have only one pcap I use pipe viewer (the pv command) like this:

pv x.pcap | bro -r -

If I have more than one pcap, e.g. from a big tcpdump run, I merge all of
them on the fly using joincap ( https://github.com/assafmo/joincap ) like
this:

joincap *.pcap | pv -s $(du -bc *.pcap | awk '/total/{print $1}') | bro -r -

This way pv print progress and ETA information while bro is running. :-)

Shameless plug - I wrote joincap specifically for these kind of situations,
because mergecap and tcpslice does not handle errors very well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181008/b13ae9d7/attachment.html 


More information about the Bro mailing list