[Bro] Bro 2.5 CPU usage
Azoff, Justin S
jazoff at illinois.edu
Fri Nov 25 08:59:39 PST 2016
Bro doesn't do a great job of using low amounts of CPU at low data rates - it's more tweaked for a constant packet rate.
I use the following patch at home (it applies on 2.4-2.5) which reduces cpu quite a bit when traffic rates are extremely low
@@ -137,7 +137,7 @@
// decrease CPU load. I guess that's because it allows
// the kernel's packet buffers to fill. - Robin
timeout.tv_sec = 0;
- timeout.tv_usec = 20; // SELECT_TIMEOUT;
+ timeout.tv_usec = 2000; // SELECT_TIMEOUT;
select(0, 0, 0, 0, &timeout);
@@ -359,7 +359,7 @@
if ( ! communication_enabled )
// Flawfinder says about usleep:
@@ -234,7 +234,7 @@
if ( ! Killed() )
signal_val = old_signal_val;
- Justin Azoff
> On Nov 25, 2016, at 11:45 AM, Dave Crawford <bro at pingtrip.com> wrote:
> I finally had an opportunity to install a Bro 2.5 cluster in the lab for review and was surprised to see a higher CPU usage than 2.4 deployments.
> A clean install with (w/ PF_RING) never drops below 25% CPU per worker at idle, meaning I’ve disabled the SPAN traffic and Bro stays at 25%.
> I then went as far as disabling every default script except for the following:
> @load misc/loaded-scripts
> @load tuning/defaults
> @load misc/capture-loss
> @load misc/profiling.bro
> @load misc/stats
> And the CPU remains at 25%.
> Has anyone experienced similar results with 2.5?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro