[Bro] processing many files with bro
hall.692 at osu.edu
Wed Mar 10 08:19:55 PST 2010
On Mar 10, 2010, at 9:46 AM, Veronica Estrada wrote:
> The other solution. I know that split pcap files can be merged in
> one bigger file, but I will have problems with memory, and bro may
> crash if it has a limitation for processing big size pcap file. So I
> am not considering this option.
I would go for this option. Bro *shouldn't* have memory problems as
long as you are expiring all of the state that is accumulated often
enough. When you run against the large tracefile, make sure you load
the "profiling" script so you can see how much memory your various
global variables are holding, that should tease out any variables
which you may need to tune to reduce memory usage.
Personally, I've processed a single multi-hundred gig tracefile with a
single Bro instance on a machine with 512 megs of memory and didn't
encounter any trouble.
Network Security - Office of the CIO
The Ohio State University
More information about the Bro