Bro Question

Matt Schnaider matt at cs.hmc.edu
Fri Feb 4 01:36:57 PST 2000


On Thu, 3 Feb 2000, Vern Paxson wrote:

> What volume traffic stream are you running it on, and with what tcpdump
> filter?  The symptoms sound like it is running out of virtual memory and
> starting to page-fault thrash.
> 
> 		Vern
> 

I'm using the suggested filter, i.e.:

./bro -f "((tcp[13] & 0x7 != 0) or \
 port telnet or tcp port 513 or port finger or port 111 or tcp port 113 or \
 port ftp or dst port 8000 or \
 (tcp and (ip[6:2] & 0x3fff != 0)))" \
 -i hme0 mt

Looking at the top stats for the system, top gives:

load averages:  1.00,  1.01,  1.01                                      00:15:11
22 processes:  20 sleeping, 1 running, 1 on cpu
CPU states:  0.0% idle, 99.8% user,  0.2% kernel,  0.0% iowait,  0.0% swap
Memory: 256M real, 76M free, 13M swap in use, 424M swap free

  PID USERNAME THR PRI NICE  SIZE   RES STATE   TIME    CPU COMMAND
 3172 root       1  40    0 4216K 3736K run    22.9H 99.51% bro
 3197 root       1  58    0 2152K 1488K cpu    14:05  0.25% top
  193 root       1  58    0 1872K  864K sleep   2:45  0.00% sshd1
    1 root       1  59    0 2232K  696K sleep   0:06  0.00% init

etc...

tcpdump is seeing between 250 and 2500 packets per second with no filter
depending on the time of day.  With the suggested filter, its see about
1-100 packets per second.  

-Matt

_._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._
Matthew J. Schnaider			East 121
Harvey Mudd College			x72006
340 E. Foothill Blvd.			Class of 2001
Claremont, CA 91711			Computer Science Department Staff

"For starters, what is an echo and what does it do? The echo program reads a 
 string and repeats it; think of the program as an automated liberal arts
 undergraduate student."

        -- Stephen Northcutt _Network Intrusion: An Analyst's Handbook_
._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._.








More information about the Bro mailing list