hi
i want to test the ressource consumption of bro (cpu and memory),
but i have only tcpdump files with high traffic amounts.
is there a possibility to run bro with the -r option and that
it goes through the traffic in the tcpdump files according to
the timestamps.
to make it clear: i want to simulate the real ressource usage
how it would occur with the traffic in the tcpdump file.
thanx for any help
cheers
christoph
Bro's internal time is based on packet timestamps, i.e. its notion
of time is the same regardless whether you're reading a live stream
or a trace. In both cases Bro performs the same kind of analysis,
and therefore, in general, needs the same amount of CPU and memory.
There's one important point, though, that you lose with trace: the
real-time behaviour. Most importantly, spikes in the processing time
don't do any harm in an offline analysis but may lead to significant
packet drops in real-time (and, naturally, when Bro drops packets,
it sees a different input stream, and then its analysis may differ,
too).
If you're interested, we've also done some CPU/memory measurements
and summarized them in a paper; see
http://www.net.in.tum.de/~robin/papers/ccs04.pdf
Robin