[Bro] Bro & malloc implementations

Jim Mellander jmellander at lbl.gov
Mon Nov 19 11:18:15 PST 2012

I wanted to share my experiences with bro and various malloc
implementations.  These are all running various versions of bro on SL 6.2 -
a recompile of RedHat Enterprise Linux from Fermi Lab -

1. We are running a legacy Bro 1.5 installation currently supporting our
old Instrumented SSHd infrastructure -
http://code.google.com/p/auditing-sshd/ - we found that the standard malloc
uses more memory than either of tcmalloc or jemalloc.  I build bro with
--enable-perftools to test tcmalloc, with a smaller memory footprint.  To
use jemalloc I just set LIBS=-ljemalloc  -  at this point we are using
jemalloc, as it seems even a bit more memory thrifty than tcmalloc

2. As part of the Instrumented SSHd infrastructure, we also have a perl
script (ssllogmux) that runs a select loop accepting connections from all
the Instrumented SSHd clients - typically several thousand at once.  This
is also in the Instrumented SSHd distribution.  Perl is compiled to not use
its own malloc, but to use the system.  However, using the system malloc,
this program would freeze after a day or so of operation.  By using
LD_PRELOAD, we forced it to use alternate malloc libraries - under both
tcmalloc and jemalloc, it runs reliably.

3. On another system, we ran Bro 2.0 (now running 2.1), and bro was
(un)reliably freezing after a day or two - running but capturing no data
when compiled with --enable-perftools - when compiled with
--disable-perftools, it has been rock solid.  I don't know enough yet about
Cmake to have it use another malloc implementation easily - hopefully
someone else knows how to do that - I want to test jemalloc

So thats our current state of play - I would be interested in other folks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121119/440efe24/attachment.html 

More information about the Bro mailing list