[Bro] Timemachine question - pkts_to_disk did not flush

Chiaverini, Christian cchiaverini at bnl.gov
Mon May 22 20:51:50 PDT 2017 

Thank you for clarifying.  On the off chance, is there a kill signal I can send to a current running daemon to flush to disk?  I have one running which I would like to flush to disk before resetting the config as you recommended.

 
 
--
 
 
Regards,
 
Chris 

On 5/22/17, 7:23 PM, "Aashish Sharma" <asharma at lbl.gov> wrote:

    (OK, I was wondering about pkts_to_disk option so hand to confirm)
    
    I think, So pkts_to_disk actually has different purpose than you originally thought. check out: doc/howto.rst 
    
      mem <number>
        Allocate RAM storage of <number> bytes in size.
    
      pkts_to_disk 2
        The moment packets are to be evicted from the RAM buffers to disk,
        this number determines how many packets to move at a single step.
    
    I'd  try a 0 or a low value for mem and a large value for pkts_to_disk. 
    
    Aashish 
    
    On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
    > Please help.
    > 
    > I was collecting something in particular an noticed that timemachine is 
    > not flushing to disk as expected.
    > 
    > I have my "all" class set to 100 packets and the class log shows 108 
    > packets but there is no pcap file yet.  Is there a way to force 
    > timemachine to flush to disk (kill switch maybe?)?
    > 
    > This is my timemachine.cfg:
    > 
    > global filter is by host
    > 
    > <OMITTED>
    > 
    >          filter "host xxx.xxx.xxx.xxx";
    > <OMITTED>
    > 
    > class "all" {
    >          #filter "";
    >          precedence 1;
    >          cutoff no;
    >          disk 50g;
    >          filesize 128m;
    >          mem 5000m;
    >          pkts_to_disk 100;
    > }
    > 
    > Here is the class log:
    > 
    > # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
    > timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes 
    > mem_pkts mem_dt disk_bytes disk_pkts disk_dt
    > 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
    > #
    > 
    > 
    > -- 
    > 
    > 
    > Regards,
    > 
    > Chris
    > 
    > _______________________________________________
    > Bro mailing list
    > bro at bro-ids.org
    > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list