Virtual Memory exceeded

We've got some trouble with bro...
After about 2 hours running bro (mt script), bro crash with a :
"Virtual Memory exceeded in 'new'" Error.

How large a volume traffic stream are you monitoring? (how many hosts,
connections/sec, raw link speed) What filter (bro -F) are you using?

Can someone suggest me what I can do about this (I've already increased
RAM and swap from 32Mb to 64Mb) ?

For our environment (5000+ hosts, FDDI link) we run with a lot more memory
than that.

Is there a way to check what part of bro is taking whole this memory (stream
buffers or active sessions table, ...)

It will mostly be the active sessions.

    Vern

> We've got some trouble with bro...
> After about 2 hours running bro (mt script), bro crash with a :
> "Virtual Memory exceeded in 'new'" Error.

How large a volume traffic stream are you monitoring? (how many hosts,
connections/sec, raw link speed) What filter (bro -F) are you using?

# hosts: about 60
# connections/sec: no idea. A lot of HTTP connections
# raw link speed: 10Mb/s (ethernet-shared)

Bro runs with no filter specified (bro -i eth0 mt.bro)

We have 64Mb RAM and 64 Mb swap.

The problem is that when Bro runs, the memory used by the application
never decreases (even when the traffic decreases, during the week-end for
example)

Everything is ok with the size of the log files.

Another remark we have. During our monitoring of the network, we get
entries in bro.log:
pm_getport unknown-1073741824 (timeout)
how could such a huge port number be used ?

Alexandre Dumortier
Patrick Verstraete
Universite catholique de Louvain, Belgium