[Bro] Timemachine question - pkts_to_disk did not flush

Chris Chiaverini cchiaverini at bnl.gov
Thu May 25 08:40:50 PDT 2017


Weird, same issue.  36 packets in memory:

# head -1 classes.timemachine.log ; tail -1 classes.timemachine.log
timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes 
mem_pkts mem_dt disk_bytes disk_pkts disk_dt
1495726546.68 class_all 2394 36 0 0 0 0 0.00 0 0 0.00
#

With configuration:

class "all" {
         #filter "";
         precedence 1;
#       cutoff 10k;
         cutoff no;
         disk 50g;
         #filesize 1g;
         filesize 128m;
         mem 0;
         pkts_to_disk 2;
}



Regards,

Chris Chiaverini
Cyber Security Operations
Brookhaven National Laboratory
Upton, New York 11973

On 05/22/2017 07:23 PM, Aashish Sharma wrote:
> (OK, I was wondering about pkts_to_disk option so hand to confirm)
>
> I think, So pkts_to_disk actually has different purpose than you originally thought. check out: doc/howto.rst
>
>    mem <number>
>      Allocate RAM storage of <number> bytes in size.
>
>    pkts_to_disk 2
>      The moment packets are to be evicted from the RAM buffers to disk,
>      this number determines how many packets to move at a single step.
>
> I'd  try a 0 or a low value for mem and a large value for pkts_to_disk.
>
> Aashish
>
> On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
>> Please help.
>>
>> I was collecting something in particular an noticed that timemachine is
>> not flushing to disk as expected.
>>
>> I have my "all" class set to 100 packets and the class log shows 108
>> packets but there is no pcap file yet.  Is there a way to force
>> timemachine to flush to disk (kill switch maybe?)?
>>
>> This is my timemachine.cfg:
>>
>> global filter is by host
>>
>> <OMITTED>
>>
>>           filter "host xxx.xxx.xxx.xxx";
>> <OMITTED>
>>
>> class "all" {
>>           #filter "";
>>           precedence 1;
>>           cutoff no;
>>           disk 50g;
>>           filesize 128m;
>>           mem 5000m;
>>           pkts_to_disk 100;
>> }
>>
>> Here is the class log:
>>
>> # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
>> timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes
>> mem_pkts mem_dt disk_bytes disk_pkts disk_dt
>> 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
>> #
>>
>>
>> -- 
>>
>>
>> Regards,
>>
>> Chris
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list