I encountered a problem to connect Broccoli-Python to Bro.
Specifically speaking, I can not connect Broccoli-Python to Bro when Bro is processing tcpdump file as follows.
“Bro -r test.pcap”
However, I am able to connect Broccoli-Python to Bro when Bro is monitoring network interface as follows.
“Bro -i eth0”
My Broccoli-Python is able to send/receive to/from Bro in the case above.
Is there anyone know the restriction to use Broccoli-Python?
How can I get notification from Bro when it is processing tcpdump file?
Bro's event interface is primarily for realtime analysis which you get from sniffing traffic on an interface. If you are reading a tracefile, "real time" typically proceeds much faster than the wall clock and since Bro's communication protocol was originally intended for multiple Bro instances to communicate with each other things could become pretty badly confused if different Bro processes think the time is different.
Now, I agree with you that it seems like a very reasonable request for broccoli to be allowed to connect even when reading trace files (i've probably requested that feature myself at some point), but I'll leave it up to Robin or someone else to see if that's something that we could reasonably do (allow communication with broccoli even if reading trace files).
There's actually a way to make it work: if you start Bro with the
option '--pseudo-realtime' it will enable the communication system
even when reading a trace. There's a catch though: it will now
"simulate" real-time by delaying processing of the trace according to
the timestamps in there, i.e., if you have a trace covering an
interval T, it will take Bro the same time T to process the trace
offline.
As that's however often inconvinient, there's one more knob: you can
give the option an integer factor (e.g., --pseudo-realtime=10), and it
will then scale up the time accordingly, i.e., process the trace 10
times as fast as real-time (i.e., M/10). By using a suitable large
factor, you may get the effect you're looking for.