> > We've got some trouble with bro...
> > After about 2 hours running bro (mt script), bro crash with a :
> > "Virtual Memory exceeded in 'new'" Error.
>
> How large a volume traffic stream are you monitoring? (how many hosts,
> connections/sec, raw link speed) What filter (bro -F) are you using?# hosts: about 60
# connections/sec: no idea. A lot of HTTP connections
# raw link speed: 10Mb/s (ethernet-shared)
That's not much load at all. (Does it really run out of memory in 2 hours?
Later you discuss running it over the weekend, which sounds like you run it
a lot longer than 2 hours.)
However, I wonder if:
Bro runs with no filter specified (bro -i eth0 mt.bro)
this is tickling a memory leak somewhere, since I always run it with a
filter so it only captures the traffic it's interested in. Try running
with the following filter:
-F "(tcp[13] & 0x7 != 0) or tcp port telnet or tcp port finger or tcp port ftp or port 111"
and let me know if that does the trick. If not, and if you're willing to
send me a trace file (you can make one using bro -w <file>), then I'll see
if I can find the problem.
Another remark we have. During our monitoring of the network, we get
entries in bro.log:
pm_getport unknown-1073741824 (timeout)
how could such a huge port number be used ?
That's a 32-bit portmapper port, not a 16-bit TCP/UDP port. See /etc/rpc
(and Bro's portmapper.bro) for mappings from numbers to ports.
Vern