[Bro-Dev] [JIRA] (BIT-1215) bro-cut should be rewritten for speed and to not depend on gawk

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Tue Jul 22 17:41:08 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17200#comment-17200 ] 

Robin Sommer commented on BIT-1215:

I noticed a regression compared to the awk-version: the C bro-cut cannot handle more than one time column when converting to readable output. The branch {{topic/robin/ticket1215-merge}}  has a test case in {{bro-cut/multiple-times.test}}. Might be a bit painful to fix, but I think we should ...

> bro-cut should be rewritten for speed and to not depend on gawk
> ---------------------------------------------------------------
>                 Key: BIT-1215
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1215
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro, bro-aux
>            Reporter: Daniel Thayer
>            Assignee: Robin Sommer
>             Fix For: 2.4
> The current implementation of bro-cut is too slow when processing large log files (takes more than a minute to process a single log file a few hundred MB in size).  Justin Azoff rewrote bro-cut in C and found that it runs an order of magnitude faster.  Another benefit of a C version of bro-cut is that we will no longer depend on gawk for anything (and some of Bro's supported platforms do not include gawk by default).

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list