[Bro] Timemachine question - pkts_to_disk did not flush
Aashish Sharma
asharma at lbl.gov
Mon May 22 16:10:12 PDT 2017
Chris,
I think because you've got mem 5000m which means about 5GB of pcaps will be in memory before starts writing to disk.
(Huge mem option is generaully useful for when bro talks to timemachine and needs to extract pcaps for particular notices. TimeMachine searches memory before searching on the disk for said connections)
Aashish
On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
> Please help.
>
> I was collecting something in particular an noticed that timemachine is
> not flushing to disk as expected.
>
> I have my "all" class set to 100 packets and the class log shows 108
> packets but there is no pcap file yet. Is there a way to force
> timemachine to flush to disk (kill switch maybe?)?
>
> This is my timemachine.cfg:
>
> global filter is by host
>
> <OMITTED>
>
> filter "host xxx.xxx.xxx.xxx";
> <OMITTED>
>
> class "all" {
> #filter "";
> precedence 1;
> cutoff no;
> disk 50g;
> filesize 128m;
> mem 5000m;
> pkts_to_disk 100;
> }
>
> Here is the class log:
>
> # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
> timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes
> mem_pkts mem_dt disk_bytes disk_pkts disk_dt
> 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
> #
>
>
> --
>
>
> Regards,
>
> Chris
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list