This is a question regarding bro’s use of threads in Linux, for packet processing using the PCAP interface.
Looking at the source code, it looks like a worker will receive a packet using the pcap_next() call, process the packet in the same thread, and invoke pcap_next() again to receive the next packet after the thread is done processing the current packet. I just want to confirm that this is indeed the case. It is important in our environment for a packet to be processed fully by a thread before it retrieves the next packet from PCAP.
I would also like to know under what circumstances a bro worker will create additional threads to process packets or for other functions, if indeed this happens… from my reading of the code, this does not seem to happen, but not being familiar with the code, I am sure I missed something!
I have searched the archives and did not find an answer. Any information, or pointers to information will be highly appreciated. Thanks!
Raj