Next: Run-time environment, Previous: Bro flags and run-time environment, Up: Bro flags and run-time environment
When invoking Bro, you can control its behavior using the following flags:
-f filter
restrict_filter
, or the default of “tcp or udp” .
-h
-i interface
Note that if no interfaces are specified, then Bro will not read any network traffic. It does not have a notion of a “default” interface from which to read.
-p prefix
-r readfile
Note that use of -r
is mutually exclusive with use of -i
.
However, you can use -r
when running scripts that refine
interfaces
, in which case the -r option takes precedence
and Bro performs off-line analysis.
-s signaturefile
-w writefile
Note: One exception is that unless you are analyzing HTTP events (for example, by loading the refhttp
analyzer),
Bro does not record the contents of HTTP SYN/FIN/RST packets to the trace file. The reason for this is that HTTP FIN packets often contain a large amount of data, which is not of any interest if you are not using HTTP analysis, and due to the very high volume of HTTP traffic at many sites, removing this data can significantly reduce the size of the save file. Deficiency: Clearly, this should not be hardwired into Bro but under user control.
Save files written using -w
are of course readable using -r
.
Accordingly, you will generally want to use -w
when running Bro on
live network traffic so you can rerun it off-line later to understand
any problems that arise, and also to experiment with the effects of changes
to the policy scripts.
You can also combine -r
with -w
to both read a save file(s) and
write another. This is of interest when using multiple instances of
-r
, as it provides a way to merge tcpdump
save files.
-v
-F
The point behind this option is to ensure that Bro starts quickly, rather
than possibly stalling for an indeterminant amount of time resolving a
hostname. Fast startup simplifies checkpointing a running Bro—you can
start up a new Bro and then killing off the old one shortly after.
You'd like this to occur in a manner such that there's no period during
which neither Bro is watching the network (the older because you killed
it off too early, the newer because it's stuck resolving hostnames).
-O
-P
-W
Bro only activates the watchdog if it is reading live network traffic.
The watchdog consists of a periodic timer that fires every
WATCHDOG_INTERVAL
seconds. (Deficiency:clearly this should be a user-definable value.) At that point, the watchdog checks
to see whether Bro is still working on the same packet as it was the last
time the watchdog expired. If so, then the watchdog logs this fact along
with some information regarding when Bro began processing the current
packet and how many events it processed after handling the packet. Finally,
it prints the packet drop information for the different interfaces Bro
was reading from, and aborts execution.