[Bro] question about intel files

Azoff, Justin S jazoff at illinois.edu
Wed Aug 3 06:42:54 PDT 2016

> On Aug 3, 2016, at 7:22 AM, philosnef <philosnef at yahoo.com> wrote:
> We have 2 10 physical core systems with 20 logical cores for a total of 40. Bro has a capture loss of sub .5% across all workers, so it seems unlikely that the box is overloaded. The capture rate of the box, per pfring is about 3.5Gb/s. We reported memory issues in the past, but those were written off as not related to the memory leak recently patched in the 24 branch and the 25 branch.

What process is using memory?  Workers? Proxies? Manager?  If you can include the output of 'broctl top' that would be helpful.  Otherwise it is pretty hard to determine what the issue may even be.

If you have a dual 10 core system and are running 20 workers then that leaves no room for the manager or for any tasks like log rotation.  For a 20 core system I would run at most 18 workers.

- Justin Azoff

More information about the Bro mailing list