[Bro] Timemachine question - pkts_to_disk did not flush
Aashish Sharma
asharma at lbl.gov
Mon May 22 16:23:17 PDT 2017
(OK, I was wondering about pkts_to_disk option so hand to confirm)
I think, So pkts_to_disk actually has different purpose than you originally thought. check out: doc/howto.rst
mem <number>
Allocate RAM storage of <number> bytes in size.
pkts_to_disk 2
The moment packets are to be evicted from the RAM buffers to disk,
this number determines how many packets to move at a single step.
I'd try a 0 or a low value for mem and a large value for pkts_to_disk.
Aashish
On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
> Please help.
>
> I was collecting something in particular an noticed that timemachine is
> not flushing to disk as expected.
>
> I have my "all" class set to 100 packets and the class log shows 108
> packets but there is no pcap file yet. Is there a way to force
> timemachine to flush to disk (kill switch maybe?)?
>
> This is my timemachine.cfg:
>
> global filter is by host
>
> <OMITTED>
>
> filter "host xxx.xxx.xxx.xxx";
> <OMITTED>
>
> class "all" {
> #filter "";
> precedence 1;
> cutoff no;
> disk 50g;
> filesize 128m;
> mem 5000m;
> pkts_to_disk 100;
> }
>
> Here is the class log:
>
> # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
> timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes
> mem_pkts mem_dt disk_bytes disk_pkts disk_dt
> 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
> #
>
>
> --
>
>
> Regards,
>
> Chris
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list