On Wed, Jan 19, 2005 at 15:14 +0100, Christoph Goeldi wrote:
to make it clear: i want to simulate the real
how it would occur with the traffic in the tcpdump file.
Bro's internal time is based on packet timestamps, i.e. its notion
of time is the same regardless whether you're reading a live stream
or a trace. In both cases Bro performs the same kind of analysis,
and therefore, in general, needs the same amount of CPU and memory.
There's one important point, though, that you lose with trace: the
real-time behaviour. Most importantly, spikes in the processing time
don't do any harm in an offline analysis but may lead to significant
packet drops in real-time (and, naturally, when Bro drops packets,
it sees a different input stream, and then its analysis may differ,
If you're interested, we've also done some CPU/memory measurements
and summarized them in a paper; see
Robin Sommer * Room 01.08.055 * www.net.in.tum.de
TU Muenchen * Phone (089) 289-18006 * sommer(a)in.tum.de