[Bro] Bro Memory Consumtion

Powell, Scott powellsm at musc.edu
Thu Mar 25 12:45:27 PDT 2010

I recompiled without IPv6 and int64 today and so far my memory footprint is considerably lower, as expected. I will keep an eye on it over the next few days (I have disabled my nightly restart cron) and see how it behaves.

We have just brought IPv6 to our border router and will soon be testing it in the perimeter. Hopefully by the time we get anywhere close to wide spread usage Bro will have better support for it. Wishful thinking, huh? :)

-----Original Message-----
From: Seth Hall [mailto:hall.692 at osu.edu] 
Sent: Wednesday, March 24, 2010 9:54 AM
To: Powell, Scott
Cc: Justin Azoff; bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] Bro Memory Consumtion

On Mar 24, 2010, at 9:38 AM, Powell, Scott wrote:

> Yes, I did include '--enable-brov6' because we are getting ready to  
> rollout IPv6 in or perimeter and I was also seeing messages from Bro  
> that it was not compiled with IPv6 support (via "broctl diag").

Rebuild Bro without brov6 and int64 for now.  Currently when you  
enable IPv6, all IP addresses consume 128-bits of memory (even IPv4  
addresses!). You can see that this is what's happening by looking at  
the line in your prof.log that starts with "Conns:".  It indicates  
that memory consumed just by connection state is over 3G (3372528K).

There has been talk about changing things around so that IPv4  
addresses still only take up 32-bits of memory even when IPv6 is  
enabled, but I don't know where those discussions ended and I don't  
know how difficult of a change that would be to make.  Maybe Robin or  
Vern will comment on that? :)

The IPv6 code has not been tested all that well either, so it's also  
possible that there are some memory leaks or other bugs lurking that  
could lead to high memory use.


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list