Bro's problems:Out of memory

臧冬松 zangds at netpower.com.cn
Tue Apr 27 01:48:21 PDT 2004 

----- Original Message ----- 
From: "Holger Dreger" <hdreger at net.in.tum.de>
To: <bro at lbl.gov>
Sent: Friday, April 23, 2004 4:46 PM
Subject: Re: Bro's problems:Out of memory


> On Fri, Apr 23, 2004 at 02:44:49PM +0800, ?????? wrote:
> >     We are intresting in Bro.But when we test it under a simulative network,
> > it was killed a few minutes by the linux systerm,giving the message of"
> > Out of memory",while Bro 's message is "internal error:double signal".
> 
> The amount of memory bro uses heavily depends on the policy scripts
> that you are running. If you additionally load the script
> statistics.bro you'll get a statistics.log file which should provide
> you information where the all the memory has gone. One common trick is
> to tune the various timeouts like the script reduce-memory.bro does.
> (Note: reduce memory sets timeouts that are perhaps not suitable to
> your needs)
> 
> Holger
> 
> --
> Holger Dreger * http://www.net.in.tum.de * Phone: +49 (0)89 289-18006
>    Computer Science Department * Technische Universitaet Muenchen

Thanks alot for your help!
But what I am thinking is whether there is a way to control Bro,so it will not run "out of memory"
any way.
For example,Bro will malloc a upper bound of 10M memory,and if there are more packets,we just 
drop them until there's free memory(other packet has gone,and released the memory).Thus,Bro will 
never go out of memory no matter how busy the network is!
As your suggest,I test Bro use:./bro -i eth1 finger.bro&.Here I modifies finger.bro:add 
"redef capture_filters += { ["finger"] = "tcp dst port 80 or tcp src port 80" };"in the begigning
of the script.Since finger.bro do a little things,then we can say the memory Bro use now is less depends
on the policy scripts.Then I simulate a stream of 5000/sec http connections,and after a few minutes,the same 
thing happed(out of memory):(.
Any suggestion?
Besides,if you can tell me where Bro malloc the memory space,and where and when to free them?
BEST WISHES!

Donal



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040427/659d0379/attachment.html

More information about the Bro mailing list