[Bro] High-CPU on just a single worker in the cluster

Azoff, Justin S jazoff at illinois.edu
Thu Apr 14 07:41:00 PDT 2016

> On Apr 14, 2016, at 9:55 AM, Dave Crawford <bro at pingtrip.com> wrote:
> You may be on to something with the non-ip traffic... there is a drastic difference between the two datacenters:
> 1460641772.239436 pkts=10414545 kpps=208.2 kbytes=5732528 mbps=938.6 nic_pkts=10414545 nic_drops=0 u=104675 t=3627503 i=307 o=405 nonip=6681655
> 1460641723.573448 pkts=9553569 kpps=178.9 kbytes=6561123 mbps=1006.6 nic_pkts=9553569 nic_drops=0 u=174140 t=9373195 i=267 o=934 nonip=5033

Great.. just what I was thinking.  At this point you should be able to just run something like

    tcpdump -n -c 1000 'not ip'

on the WIN box

and see exactly what this traffic is.. then we can figure out what to do about it...

- Justin Azoff

More information about the Bro mailing list