Hey everyone,
I was wondering if anyone knows if it is possible to multi-thread BRO when you are reading the input from a file like this:
/bro/bin/bro -r “$1” /bro/share/bro/site/local.bro “Site::local_nets = { 10.0.0.0/8, 192.168.0.0/16, 216.46.96.0/19, 172.16.0.0/12 }”
Can this only be done with one thread?
Cheers,
JB
tracereplay [http://www.wand.net.nz/trac/libtrace/wiki/TraceReplay] will let you loop packets around into a dummy network interface from an existing pcap/erf. It wont be a problem for bro to attach onto the dummy interface via pf_ring and cluster away at the traffic.
-Alex
Depending on your analysis, splitting the pcap with editcap (or splitting it at capture time already) and using GNU Parallel [0] can be a way of using multiple cores. I've successfully used this like so:
parallel --gnu --bar 'bro -r {} my-script.bro' ::: pcaps/capture.pcap*
The pcaps directory contains multiple pcap files (note the asterisk), and the output is written to stdout. You might want to capture the output to separate files and analyse those afterwards, again depending on what you want to do.
[0] http://www.gnu.org/software/parallel/
Hope this helps,
luuk
Alex and Luuk gave answers that will work, but I wanted to throw one more that is coming into the mix too. Eventually you should be able to use PacketBricks (https://github.com/bro/packet-bricks) to read in pcap files and distribute the traffic out to multiple workers. (just wanted to point out another direction we’re moving).
.Seth