[Bro] Running Bro with -r option
Robin Sommer
sommer at in.tum.de
Wed Jan 19 06:53:32 PST 2005
On Wed, Jan 19, 2005 at 15:14 +0100, Christoph Goeldi wrote:
> to make it clear: i want to simulate the real ressource usage
> how it would occur with the traffic in the tcpdump file.
Bro's internal time is based on packet timestamps, i.e. its notion
of time is the same regardless whether you're reading a live stream
or a trace. In both cases Bro performs the same kind of analysis,
and therefore, in general, needs the same amount of CPU and memory.
There's one important point, though, that you lose with trace: the
real-time behaviour. Most importantly, spikes in the processing time
don't do any harm in an offline analysis but may lead to significant
packet drops in real-time (and, naturally, when Bro drops packets,
it sees a different input stream, and then its analysis may differ,
too).
If you're interested, we've also done some CPU/memory measurements
and summarized them in a paper; see
http://www.net.in.tum.de/~robin/papers/ccs04.pdf
Robin
--
Robin Sommer * Room 01.08.055 * www.net.in.tum.de
TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de
More information about the Bro
mailing list