Bro Time Machine is EOL?

Hi all,

Is Time Machine EOL? Is it possible accomplish packet capture with Bro or do I need an external software like tcpdump, netsniff, etc?


As far as I’m aware, yes. Some alternatives to consider are gotm[1], Apache Metron, or stenographer.



Is Time Machine EOL? Is it possible accomplish packet capture with Bro or

Not quite. Atleast LBNL isn't letting it EOL. We had a very sharp student Naoki
Eto work/upgrade/optimize it a couple years ago:

Naoki's branch : topic/naokieto/ipv6 branch.

I made some some minor tweaks related to VLANs and we use topic/aashish/ipv6

Naoki's or my branch has very stable code - has IPv6 support built in, also a
ton of optimizations in performance. LBL uses this code for production and this
branch been running easily for 3+ years with < 1G mem and < 9% CPU with 0.02%
cummulative packet drops on our external-DMZ taps.

We don't use indexes.

Also, I have two bro scripts which if enabled help estimate what cutoffs you
should setup in your network for gaining 99.999% coverage for each bucket. And a
python script which does similar counts on bro's connection logs.

SO yea, timemachine is very much in production and doing well. I just couldn't
get Naoki's branch merged into master. But use naoki (or my branch) and you'd
have pretty stable and IPv6 support code.

let me know if you have any related questions.


Aashish, are you running this on FreeBSD 10? I ran into an issue with
building on FreeBSD 11 and 12-CURRENT that I have not had time to
debug. The code built fine on 10.3.

Yep, I am really interested because I will run this on FreeBSD too …


Yes, we run on 10.3. I haven't tried building on 11 or 12-CURRENT yet. I believe
someone else also mentioned this to me a bit ago. On my to-do list to see whats
going on wrt builds. I am guessing its gcc vs clag issue.