[Bro] Time Machine RAM usage question
Martin Holste
mcholste at gmail.com
Tue Oct 26 14:04:46 PDT 2010
That's what I originally thought. What was throwing me was when I
would try to find packets any older than the cutoff, the queries would
come up empty, the log showing something like "query not found in
connection table." So I ran "show conn sample" to see the connections
table, and the oldest connections were always at the cutoff. When I
looked through the source code, it appeared that connections older
than the cutoff were evicted from the connections table, but the query
depended on the connections table to find the packets on disk/ram.
On Tue, Oct 26, 2010 at 2:43 PM, Vern Paxson <vern at icir.org> wrote:
>> I don't think you need conn_timeout set that high.
>
> Right. conn_timeout is how long to keep internal state when a connection
> is inactive; *not* how long to keep recorded connections lying around.
>
> Vern
>
More information about the Bro
mailing list