scheduled tasks on existing pcaps

dopheide · June 18, 2014, 5:13pm

Howdy,

We’re doing some fairly simple analysis regarding concurrent connections on existing pcaps. Bro basically does all of that for us, but I’m hoping to output the current number of active connections every few seconds.

Do Bro’s scheduled tasks run in real time or network time when a pcap is passed to it? I’m assuming real time, so my next question would be what’s the best way to output a regular status in original network time? I could fake it with tcpreplay, but I’d like to avoid that.

Thanks,
Dop

robin · June 18, 2014, 5:57pm

No, it's network time actually, which drives pretty much everything in
Bro so that output doesn't differ when running live vs from a trace.

Robin

Topic		Replies	Views
network_time Development development	2	138	May 6, 2022
Monitoring a directory and running bro on the PCAPs Zeek	8	191	May 6, 2022
Have a cluster infrastructure read pcaps Zeek	1	154	May 6, 2022
Question about processing network traffic Zeek	3	63	May 6, 2022
Bro Digest, Vol 109, Issue 14 Zeek	2	116	May 6, 2022

scheduled tasks on existing pcaps

Related topics