Timemachine question - pkts_to_disk did not flush

Please help.

I was collecting something in particular an noticed that timemachine is not flushing to disk as expected.

I have my "all" class set to 100 packets and the class log shows 108 packets but there is no pcap file yet. Is there a way to force timemachine to flush to disk (kill switch maybe?)?

This is my timemachine.cfg:

global filter is by host

<OMITTED>

         filter "host xxx.xxx.xxx.xxx";
<OMITTED>

class "all" {
         #filter "";
         precedence 1;
         cutoff no;
         disk 50g;
         filesize 128m;
         mem 5000m;
         pkts_to_disk 100;
}

Here is the class log:

# head -1 classes.timemachine.log && tail -1 classes.timemachine.log
timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes mem_pkts mem_dt disk_bytes disk_pkts disk_dt
1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00

Chris,

I think because you've got mem 5000m which means about 5GB of pcaps will be in memory before starts writing to disk.

(Huge mem option is generaully useful for when bro talks to timemachine and needs to extract pcaps for particular notices. TimeMachine searches memory before searching on the disk for said connections)

Aashish

(OK, I was wondering about pkts_to_disk option so hand to confirm)

I think, So pkts_to_disk actually has different purpose than you originally thought. check out: doc/howto.rst

  mem <number>
    Allocate RAM storage of <number> bytes in size.

  pkts_to_disk 2
    The moment packets are to be evicted from the RAM buffers to disk,
    this number determines how many packets to move at a single step.

I'd try a 0 or a low value for mem and a large value for pkts_to_disk.

Aashish

Thank you for clarifying. On the off chance, is there a kill signal I can send to a current running daemon to flush to disk? I have one running which I would like to flush to disk before resetting the config as you recommended.

Weird, same issue. 36 packets in memory:

# head -1 classes.timemachine.log ; tail -1 classes.timemachine.log
timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes mem_pkts mem_dt disk_bytes disk_pkts disk_dt
1495726546.68 class_all 2394 36 0 0 0 0 0.00 0 0 0.00