[Bro] Time Machine RAM usage question
gregor at icir.org
Tue Oct 26 17:13:32 PDT 2010
That sound's weird. I'm going to look into that.
Which kind of query did you use?
Can you maybe copy-paste a sample query plus the error message into an
On 10/26/10 14:04 , Martin Holste wrote:
> That's what I originally thought. What was throwing me was when I
> would try to find packets any older than the cutoff, the queries would
> come up empty, the log showing something like "query not found in
> connection table." So I ran "show conn sample" to see the connections
> table, and the oldest connections were always at the cutoff. When I
> looked through the source code, it appeared that connections older
> than the cutoff were evicted from the connections table, but the query
> depended on the connections table to find the packets on disk/ram.
> On Tue, Oct 26, 2010 at 2:43 PM, Vern Paxson <vern at icir.org> wrote:
>>> I don't think you need conn_timeout set that high.
>> Right. conn_timeout is how long to keep internal state when a connection
>> is inactive; *not* how long to keep recorded connections lying around.
> Bro mailing list
> bro at bro-ids.org
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
More information about the Bro