[Bro] bro traffic analysis
gillsr at cymru.com
Mon Sep 28 08:36:05 PDT 2009
>> I just started using bro for offline traffic analysis. i don't know
>> which timers to tune to make the analysis of traces go faster. On
>> some of traces, the analysis never finishes and it is like bro is
>> waiting for some timer to expire.
> I've been working with someone else having a problem similar to you.
> What would help most is if you were able to distribute one of the
> problematic tracefiles (hopefully, the smallest possible problematic
> file) so we could take a look at what's going on.
>From what I've seen, I don't think the problem is only applicable to offline
tracefiles - it appears to happen on live traffic as well. My best guess is
that it is having a hard time when it only sees a portion of the full
traffic due to a busy link, thus making state tracking more problematic.
More information about the Bro