[Bro] CPU usage with no traffic on Bro 2.5 with AF_PACKET
ed.sealing at sealingtech.org
Sat Dec 17 09:54:58 PST 2016
Thanks Jon. I'll take a look. I should clarify.
I'm working on a multi-tenant solution with Bro, Docker, and SR-IOV. The
plan is to support 10Gbps+, with VLANs as the dividers for tenants. The
containerized Bro is working and I'm able to run multiple Bro instances for
multiple tenants. However, when I start additional Bro containers, they
each consume 6% CPU (12% for 2, 18% for 3, etc).
Would the usleep patch still apply to a high-throughput solution?
On Sat, Dec 17, 2016 at 12:16 PM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
> I have a fork of 2.5 that may help. It's intended to minimize CPU load on
> sensors that see low volume/sensor-local traffic. Check out the most
> recent commits, shout out to Justin for the basis of the tweaks.
> On Sat, Dec 17, 2016, 12:05 Ed Sealing <ed.sealing at sealingtech.org> wrote:
>> I'm seeing ~6% CPU utilization on workers, with no traffic. Is that
>> expected? Is there any way to minimize the CPU load?
>> Using AF_PACKET plugin. The cores are isolated using "isolcpus", so
>> nothing else should be running on them. Workers are pinned to the CPUs in
>> Bro mailing list
>> bro at bro-ids.org
> Sent from my mobile device
*Ed Sealing President / CEO*
*CISSP, CEH, RHCSA*
7226 Lee Deforest Dr.
Columbia, MD 21046
Mobile: (301) 885-6947
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro