[Bro-Dev] [JIRA] (BIT-1215) bro-cut should be rewritten in C for speed and to not depend on gawk

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Thu Jul 10 15:42:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17108#comment-17108 ] 

Robin Sommer commented on BIT-1215:

Yes. Maybe a bit less than 2x, exponential grows quickly. :)

Would be nicer to recognize that differently, like by not finding a
log header; that way we can give a good error message. If such a check
is in place, I wouldn't actually bother with another double-check on
line length; in the unlikely case that the file has a correct header
but totally broken content, I'm sure there are plenty other cases
where bro-cut would fail, and it seems there's not more here that can
happen in addition than running out of memory (which the OS will

> bro-cut should be rewritten in C for speed and to not depend on gawk
> --------------------------------------------------------------------
>                 Key: BIT-1215
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1215
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro, bro-aux
>            Reporter: Daniel Thayer
>             Fix For: 2.4
> The current implementation of bro-cut is too slow when processing large log files (takes more than a minute to process a single log file a few hundred MB in size).  Justin Azoff rewrote bro-cut in C and found that it runs an order of magnitude faster.  Another benefit of a C version of bro-cut is that we will no longer depend on gawk for anything (and some of Bro's supported platforms do not include gawk by default).

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list