Dear all,
We intend to deploy a Bro cluster, in which the workers will get packets
from another program via pipe, instead of capturing packets directly from a
network interface. In case of a standalone deployment, we know it is trivial
to achieve by the command such as "prog | bro -r -", where prog outputs
packets to stdout. However, what should we configure the workers (or the
manager) if the workers are to be launched from the manager through broctl?
Thanks a lot.
Po-Ching
Hm, that is a new challenge. BroControl really isn't meant for that kind of behavior. It's possible you could dig into it and make changes that would make it work. What I would possibly look into instead is testing our upcoming packet-bricks[1] tool. It uses netmap to pass packets around very efficiently and there is a new netmap feature called "pipes" (works on Linux and it's including in the upcoming FreeBSD 10.1) that it uses to pass packets to userland applications as sort of virtual interfaces. I would recommend going this route because you should get significantly better performance passing packets through packet-bricks than if you are actually passing packets through pipes.
Here is a link to packet-bricks:
https://github.com/bro/packet-bricks
Let me know if you need help figuring out anything about it and I can either help you or point you in the right direction.
.Seth