Serious problem running bro-pub-0.8a48 on OpenBSD 3.3
Vern Paxson
vern at icir.org
Tue Dec 16 09:08:44 PST 2003
My apologies for dropping the ball on this thread :-(.
> - I am running this on a P3-600 MHz, 200 MB memory system. Is that too
> slow?
It crticially depends on your traffic volume. In my experience, a machine
like that should be able to monitor a network on the order of a hundred
machines with a 100 Mbps link; but that's somewhat a guess, as most of my
experience is with bigger/faster networks.
> - The size of the 'bro.core' file upon the seg-fault is of the order of 500
> MB.
> Isn't that weird?
This very likely indicates that Bro is crashing because you've reached
the process "datasize" limit. See what "limit datasize" reports.
> The response time of my system also increases drastically
That's because, given 200 MB of real memory, when Bro grows beyond that
towards 500 MB, you suffer a great deal of paging.
It appears very likely that you are encountering a memory leak.
Try (1) running the latest release (I just announced 0.8a58),
and, if the problem persists, turning on memory statistics, which
you can do by including "statistics.bro" as a policy script on the
command line or via @load.
Vern
More information about the Bro
mailing list