[Bro] Performance questions
robin at icir.org
Mon Feb 5 09:53:07 PST 2007
On Mon, Feb 05, 2007 at 11:06 -0600, Zachary P Reimer wrote:
> split out into multiple boxes, so I wanted to verify if bro will take
> advantage of the multiple processors.
It does not, for the most part. All of the main analysis is done in
a single process and not able to make use of multiple CPUs. The only
exception is remote communication which does the actual i/o via
second process (but just the i/o; e.g., data strucutures are still
serialized by the main process).
We're planing to structure the processing into something more
parallizable eventually but this will take some time.
> The other question is about the performance/CPU impact of the Dynamic
> Protocol Detection feature in 1.2, since I haven't seen discussion around
> that and would like to use it.
The main performance impact is the need to inspect all packets
(instead if using a packet filter which selects only the relevant
subset of ports, as Bro used to do it). See this paper for some
performance numbers measured with an earlier prototype:
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro