[Bro] Bro Memory Consumtion

Powell, Scott powellsm at musc.edu
Mon Mar 29 05:16:18 PDT 2010

Seth, I wanted to circle back around on this. This was definitely the issue as my memory usage has now flat lined. I have not restarted Bro in 4 days and my total memory usage is < 3GB for all workers, proxy and manager combined.

Thanks for the help.


-----Original Message-----
From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Powell, Scott
Sent: Thursday, March 25, 2010 3:45 PM
To: Seth Hall
Cc: Justin Azoff; bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] Bro Memory Consumtion

I recompiled without IPv6 and int64 today and so far my memory footprint is considerably lower, as expected. I will keep an eye on it over the next few days (I have disabled my nightly restart cron) and see how it behaves.

We have just brought IPv6 to our border router and will soon be testing it in the perimeter. Hopefully by the time we get anywhere close to wide spread usage Bro will have better support for it. Wishful thinking, huh? :)

-----Original Message-----
From: Seth Hall [mailto:hall.692 at osu.edu] 
Sent: Wednesday, March 24, 2010 9:54 AM
To: Powell, Scott
Cc: Justin Azoff; bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] Bro Memory Consumtion

On Mar 24, 2010, at 9:38 AM, Powell, Scott wrote:

> Yes, I did include '--enable-brov6' because we are getting ready to  
> rollout IPv6 in or perimeter and I was also seeing messages from Bro  
> that it was not compiled with IPv6 support (via "broctl diag").

Rebuild Bro without brov6 and int64 for now.  Currently when you  
enable IPv6, all IP addresses consume 128-bits of memory (even IPv4  
addresses!). You can see that this is what's happening by looking at  
the line in your prof.log that starts with "Conns:".  It indicates  
that memory consumed just by connection state is over 3G (3372528K).

There has been talk about changing things around so that IPv4  
addresses still only take up 32-bits of memory even when IPv6 is  
enabled, but I don't know where those discussions ended and I don't  
know how difficult of a change that would be to make.  Maybe Robin or  
Vern will comment on that? :)

The IPv6 code has not been tested all that well either, so it's also  
possible that there are some memory leaks or other bugs lurking that  
could lead to high memory use.


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list