Using Bro without selectable fd support in libpcap

Zeek
1

Hi,

I am experimenting with Bro v2.3.1 using a version of libpcap that does not support an fd to call select() on.

I noticed that earlier versions had a compile time option --disable-select-loop to disable the use of this within Bro. The only way I could find to use the recent version of Bro was to modify the code in a similar way to the conditional compilation used by --disable-select-loop (forcing ‘idle = false’ in PktSrc::ExtractNextPacket).

Have I missed any Bro configuration (compile or run time) that will allow it to busy wait in recent versions? Is the intention for current and future versions of Bro to rely on selectable fd support in libpcap?

Thanks in advance for any advice.

Regards,

Paul

2

It's been a while since we removed that. I believe it was primarily a
case of bit rot: nobody had been using it in a while and hence it
wasn't clear if it was still working; and it didn't seem necessary
anymore anyways.

I'd be reluctant to bring it back though, in the spirit of avoiding
configure time options where possible. One alternative might be a
writing plugin: current git master supports adding new packets sources
in the form of external plugins. You could turn the the pcap code into
a new plugin that adapts the necessary pieces, and then use that
instead of the standard version.

Robin