[Bro] Time Machine

Weisbrod, Marc MWeisbrod at its.ucsf.edu
Fri May 26 14:37:50 PDT 2006 

All,

 

I am working with the time machine and I getting logs (tm.log) but I am
not seeing IP data being written to the disk.  

 

My tm.conf file looks like this:

 

main {

        logfile "tm.log";

        workdir "/data/tmp";

        log_interval 10;

        device "em2";

#      read_tracefile "trace.pcap";

        filter "net 128.218.0.0/16";

#      bro_connect_str "localhost:47757";

        console 0;

        max_index_entries 50000;

        conn_timeout 1800;

}

 

class "tcp" {

 filter "tcp";

 precedence 5;

 cutoff 10k;

 disk 700g;

 filesize 100m;

 mem 10M;

 pkts_to_disk 2;

}

 

class "udp" {

 filter "udp";

 precedence 5;

 cutoff 10k;

 disk 500g;

 mem 10m;

}

 

The output of the tm.log file is similar to this:

 

 

191 476 429936 4056 79191 476 1148677908.887460 0 0 0.000000

1148679239.066095  stats_indexes: 209 ip index nodes  244 port index
nodes  291 connection index nodes

1148679239.066137  stats_conns: 254 conns

1148679239.066206  stats_queries: 0 query subscriptions

1148679239.066264  stats_rusage: 0.83 s user + 1.04 s sys CPU  28028
MAXRSS

1148679249.067674  stats: 71966/0 recvd/dropd P (0.00) 71942 P 45510646
B 0.4 Mbit/s

1148679249.067806  stats_classes: class_tcp 407165 1704 44590156 65663
407165 1704 1148677908.821760 0 0 0.000000 class_udp 79281 477 433328
4088 79281 477 1148677908.887460 0 0 0.000000

1148679249.067931  stats_indexes: 213 ip index nodes  246 port index
nodes  293 connection index nodes

1148679249.067973  stats_conns: 256 conns

1148679249.068066  stats_queries: 0 query subscriptions

1148679249.068106  stats_rusage: 0.84 s user + 1.04 s sys CPU  28028
MAXRSS

1148679259.069525  stats: 72543/0 recvd/dropd P (0.00) 72519 P 45939651
B 0.3 Mbit/s

1148679259.069684  stats_classes: class_tcp 407285 1706 45015383 66203
407285 1706 1148677908.821760 0 0 0.000000 class_udp 79547 480 436720
4120 79547 480 1148677908.887460 0 0 0.000000

1148679259.069819  stats_indexes: 218 ip index nodes  251 port index
nodes  297 connection index nodes

1148679259.069861  stats_conns: 259 conns

1148679259.069946  stats_queries: 0 query subscriptions

1148679259.069986  stats_rusage: 0.86 s user + 1.04 s sys CPU  28028
MAXRSS

1148679269.071378  stats: 73177/0 recvd/dropd P (0.00) 73152 P 46424467
B 0.4 Mbit/s

1148679269.071513  stats_classes: class_tcp 407285 1706 45496807 66804
407285 1706 1148677908.821760 0 0 0.000000 class_udp 79547 480 440112
4152 79547 480 1148677908.887460 0 0 0.000000

1148679269.071652  stats_indexes: 218 ip index nodes  251 port index
nodes  297 connection index nodes

1148679269.071695  stats_conns: 259 conns

1148679269.071764  stats_queries: 0 query subscriptions

1148679269.071803  stats_rusage: 0.87 s user + 1.04 s sys CPU  28028
MAXRSS

 

Has any on run into this behavior before?

 

Marc

 

 

Marc Weisbrod

Security Engineer 

University of California at San Francisco

1855 Folsom Street, Room 602

San Francisco, CA 94103

415.476.1841 

mweisbrod at its.ucsf.edu

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060526/0586a69b/attachment.html

More information about the Bro mailing list