[Bro] question about intel files

Azoff, Justin S jazoff at illinois.edu
Wed Aug 3 07:24:18 PDT 2016

> On Aug 3, 2016, at 10:03 AM, philosnef <philosnef at yahoo.com> wrote:
>              total       used       free     shared    buffers     cached
> Mem:        371336     340383      30952          0        300     111823
> -/+ buffers/cache:     228259     143076 
> Swap:        15999        191      15808 

Ah, I think you have been looking at the wrong numbers.

You are only using 228259M, (~222G, not 355G)
111823M is unallocated and currently used for buffer/disk cache.

This amount will always grow until it ends up using almost all the 'free' memory on the machine.

The reason why the OOM killer isn't killing anything is because you still have over 128G of ram free.

I added up all the ram usage from the output of bro top, and adding some overhead for the rounded amounts measured in gigs, came to

Minus splunk, that does still leave about 150G unaccounted for.

I believe some of that will be used by packet buffers in the kernel, depending on how you have configured pf_ring.

But even at a huge 1G buffer for each of 20 workers (which I think is much much more than it uses by default) that is only another 20G.

- Justin Azoff

More information about the Bro mailing list