[Bro] bro traffic analysis
Stephen Gill
gillsr at cymru.com
Mon Sep 28 10:08:31 PDT 2009
> Sure, that would simply mean that whatever's triggering it is (unsurprisingly)
> showing up in the live traffic.
Yep! Stopping a daemonized BRO shows the same general symptoms where the
process does not die in a reasonable amount of time.
>> My best guess is
>> that it is having a hard time when it only sees a portion of the full
>> traffic due to a busy link, thus making state tracking more problematic.
>
> That won't hang it or even partiuclarly burn up CPU. (We run in a lot of
> environments with busy links, so know this from experience.)
What I've seen is not so much the CPU hanging (though it was at 98% both in
and out of wedge), but BRO ends up processing a lot of timers and events at
this stage. Mostly rellated to conn.bro, but also in my case weird.bro,
port-name.bro, hot.bro events were firing.
It's not so much the amount of data I'm referring to but the data that makes
it to BRO. Assuming high random packet drops on a saturated link, stateful
tracking is problematic and most everything looks unatural because you're
not necessarily seeing the full picture. At least in my case, I had to turn
off ALL weird logging because it basically didn't apply to me.
Things did complete on a tracefile eventually, but very slowly. That
implied to me that it wasn't an infinite loop. The process looked something
like this (pardon the layman's view):
- Read pcap and process somewhat normally from start to finish
- Reach the end of the pcap as evidenced by the tracefile output
- Enter wedge state where the results take a very long time to complete
presumably due to processing of events/sessions still in state.
Unfortunately I'm not in a position to be able to provide tracefiles on this
particular issue.
-- steve
More information about the Bro
mailing list