[Bro] processing many files with bro

Seth Hall hall.692 at osu.edu
Wed Mar 10 08:19:55 PST 2010


On Mar 10, 2010, at 9:46 AM, Veronica Estrada wrote:

> The other solution. I know that split pcap files can be merged in  
> one bigger file, but I will have problems with memory, and bro may  
> crash if it has a limitation for processing big size pcap file. So I  
> am not considering this option.


I would go for this option.  Bro *shouldn't* have memory problems as  
long as you are expiring all of the state that is accumulated often  
enough.  When you run against the large tracefile, make sure you load  
the "profiling" script so you can see how much memory your various  
global variables are holding, that should tease out any variables  
which you may need to tune to reduce memory usage.

Personally, I've processed a single multi-hundred gig tracefile with a  
single Bro instance on a machine with 512 megs of memory and didn't  
encounter any trouble.

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721




More information about the Bro mailing list