[Bro] out of memory after a couple days?

Mike Sconzo sconzo at visiblerisk.com
Thu Dec 5 08:39:57 PST 2013


Ooops, that's drops, here's ram. The past 24 (time since last restart)
have been pretty kind so far, but still some differences.

Bro Top
-------
Name       Type       Node       Pid      Proc     VSize    Rss
Cpu      Cmd
manager    manager    130.253.254.11 5075     child    153M      36M
  25%      bro
manager    manager    130.253.254.11 5070     parent     3G       1G
  4%       bro
proxy-1    proxy      130.253.254.11 5179     child    165M      49M
  25%      bro
proxy-1    proxy      130.253.254.11 5131     parent   260M     157M
  0%       bro
worker-1-1 worker     130.253.254.11 5303     parent   444M     343M
  16%      bro
worker-1-1 worker     130.253.254.11 5313     child    199M      90M
  14%      bro
worker-1-2 worker     130.253.254.11 5307     parent     6G       6G
  45%      bro
worker-1-2 worker     130.253.254.11 5314     child    199M      90M
  16%      bro
worker-1-3 worker     130.253.254.11 5326     child    199M      90M
  18%      bro
worker-1-3 worker     130.253.254.11 5306     parent   512M     410M
  16%      bro
worker-1-4 worker     130.253.254.11 5308     parent   562M     463M
  18%      bro
worker-1-4 worker     130.253.254.11 5329     child    199M      90M
  18%      bro
worker-1-5 worker     130.253.254.11 5302     parent     2G       2G
  20%      bro
worker-1-5 worker     130.253.254.11 5318     child    199M      90M
  18%      bro
worker-1-6 worker     130.253.254.11 5305     parent     2G       2G
  22%      bro
worker-1-6 worker     130.253.254.11 5315     child    199M      90M
  16%      bro
worker-1-7 worker     130.253.254.11 5304     parent     1G       1G
  18%      bro
worker-1-7 worker     130.253.254.11 5328     child    199M      90M
  18%      bro
worker-1-8 worker     130.253.254.11 5327     child    199M      90M
  18%      bro
worker-1-8 worker     130.253.254.11 5301     parent     2G       2G
  16%      bro

On Thu, Dec 5, 2013 at 10:32 AM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
> Only a couple of out my 8.
>
> Past 24hrs.
>
> Bro Netowrk Summary
> -------------------
> worker-1-1: 1386256281.234408 recvd=129751113 dropped=15 link=129751113
> worker-1-2: 1386256281.438440 recvd=140506954 dropped=539300 link=140506954
> worker-1-3: 1386256281.638378 recvd=117420631 dropped=1043252 link=117420631
> worker-1-4: 1386256281.838171 recvd=163357938 dropped=17 link=163357938
> worker-1-5: 1386256282.038370 recvd=145517241 dropped=52855 link=145517241
> worker-1-6: 1386256282.238350 recvd=144958714 dropped=18 link=144958714
> worker-1-7: 1386256282.438315 recvd=185940362 dropped=31 link=185940362
> worker-1-8: 1386256282.638694 recvd=158251689 dropped=33170 link=158251689
>
> On Thu, Dec 5, 2013 at 10:20 AM, Seth Hall <seth at icir.org> wrote:
>>
>> On Dec 5, 2013, at 9:12 AM, Mike Patterson <mike.patterson at uwaterloo.ca> wrote:
>>
>>> That was my assumption too. I upgraded on 8 November, leaked early AM 16th, and then again on the 29th. Traffic would have been at an ebb on the 16th, and rising on the 29th, so I don’t think it’s sheer volume - as you say, there must be something *in* the traffic. Or more likely, a sequence of things, otherwise I expect 2.2 would be vomiting all over my RAM far more often.
>>
>>
>> Another question I had is if you're only seeing it on a couple of worker processes or if it's all of them?
>>
>> That might narrow it down a bit to tell us if it's just a single connection doing something weird that is causing it or if it's something larger.
>>
>>   .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> cat ~/.bash_history > documentation.txt



-- 
cat ~/.bash_history > documentation.txt




More information about the Bro mailing list