[Bro] Continuous memory growth without tcp.bro

Thomas, Eric D. edthoma at sandia.gov
Mon May 7 14:17:32 PDT 2007


Without tcp.bro the memory footprint of the Bro process increases until it
reaches the memory limit and Bro dies. I conducted the following tests:

1. bro -i eth0 profiling.bro
2. bro -i eth0 -f "tcp" profiling.bro
3. bro -i eth0 -f "tcp profiling.bro tcp.bro
4. bro -i eth0 profiling.bro tcp.bro

Only test 4 didn't result in outrageous memory usage. Obviously the
capture-filter preventing the processing of data packets is the reason. But
I'm curious, what exactly does Bro store when processing data packets that
causes such a memory bloat? I would have figured the processing of data
packets only results in updating pre-existing connection state objects. Is
there any way to prevent this bloat without modifying the source code?
Thanks,

Eric





More information about the Bro mailing list