[Bro] Memory consumption of a single table entry

Roman Hiestand romhiest at ee.ethz.ch
Tue Mar 1 02:21:58 PST 2005


I'm using Bro since quite a while and so far I'm quite happy with the tool.

Now, I have a questions concerning the memory consumption. I'm running my own
Bro script which is given below. I have installed the latest version 0.9a8 of
Bro on a Suse Linux.

I started Bro, sent 9'844 packets to random IPs. Afterwards, prof.log gives me
the following information:

1109672099.923449 Global_sizes > 100k: 0K
1109672099.923449                test_table = 1340K (9844 entries)

The tables is, as given below, indexed by destination IP and the entries are of
type bool. One entry uses 139 Bytes (= 1340 KB / 9844 entries).
I do not understand why one entry uses that much of memory. An IP can be stored
in 4 Byte and the table content of type bool in 1 bit. I can imagine that Bro
uses memory for the Hash or other information. But this does not require 139

Can you please explain me, why Bro uses this much of memory for one table entry
and what I can do to avoid this high memory consumption.


#script test.bro
@load profiling
@load reduce-memory
redef ignore_checksums = T;
redef profiling_interval = 10secs &redef;

global test_table: table[addr] of bool;

event icmp_unreachable(icmp: icmp_conn, code: count, context: icmp_context) {
        local destIP = context$id$resp_h;
        test_table[destIP] = T;

More information about the Bro mailing list