[Bro] Bro terminates on its own in PCAP read mode
jbarber at computer.org
Tue Apr 4 09:24:14 PDT 2017
Possibly just out of memory? That pcap has -- according to wireshark --
678714 IPv6 conversations. So bro will create that many connection table
entries. Those entries are not small and a number of related structures get
created too, so you end up with a ton of memory used by bro. And the
packets are all "received" within a few seconds so none of the connection
table entries will have timed out by the time you get to the end.
It's traditional on linux that the kernel allows memory to be
"overcommitted" but then if the kernel runs out of memory for critical
functions, it chooses a fat process to kill. References here:
So it's not that the pcap itself is too large -- bro basically reads and
processes one packet at a time -- it's that processing it takes more memory
than you have available.
On Mon, Apr 3, 2017 at 11:54 PM, Jeremy Gin <jgin at utexas.edu> wrote:
> I am trying to run Bro in PCAP read mode on PCAPs that contain flooding
> attacks created in a lab environment. I installed Bro from source and did
> not modify the local.bro. The command I am using is:
> "bro -r <name>.pcap -C local --time"
> This returns the following output:
> "WARNING: No Site::local_nets have been defined. It's usually a good idea
> to define your local networks.
> # initialization 2.756138
> # initialization 59M/49M
> I have attached the PCAP. My initial reaction is that the PCAP is too big
> as this happens to only PCAPs containing DOS attacks. However, the attached
> PCAP is 69 MB and Bro successfully runs on other PCAPs that are around 73
> MB. Can anyone explain why Bro is terminating itself?
> Any insight you can provide is much appreciated.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro