I'd like to know if there is a way to select which script a worker is loading.
The goal is to limit the packets that needs to be analyzed.
On a dedicated interface I've mirrored traffic going to one of our server which has, along other protocols, tones of dns and nfs traffic, I'm only interested in dns traffic.
Nfs can be bandwidth consuming (up to 600mbps with capstats) so I'd like Bro to only analyses dns packets.
Can we tell Bro to only load dns inspector for a given interface/worker ?
I've also think of firewalling everything except udp/53 but i would have to give network interface an ip address....
broctl starts each worker with an option that tells each worker to use its own name as a script prefix. If you look at the running bro command you should see something like