[Bro] bro traffic analysis
Vern Paxson
vern at icir.org
Mon Sep 28 09:55:13 PDT 2009
> From what I've seen, I don't think the problem is only applicable to offline
> tracefiles - it appears to happen on live traffic as well.
Sure, that would simply mean that whatever's triggering it is (unsurprisingly)
showing up in the live traffic.
> My best guess is
> that it is having a hard time when it only sees a portion of the full
> traffic due to a busy link, thus making state tracking more problematic.
That won't hang it or even partiuclarly burn up CPU. (We run in a lot of
environments with busy links, so know this from experience.)
We could realy use a trace that reproduces the problem to track this down.
Very likely it's a bug in an analyzer that's entering an infinite loop.
An alternative way to track it is to attach a debugger when it appears to
be wedged and get a traceback to see what it's doing. This will only be
effective if Bro has been built with ./configure --enable-debug.
Vern
More information about the Bro
mailing list