[Bro] Significant slow for smtp traffic

duhang darkheaven1983 at gmail.com
Tue Mar 21 05:05:15 PDT 2017


I am trying to use bro to monitor smtp requests in my network. Before
putting it to production, I simulated the smtp traffic between clients and
smtp server using avalanche as the rate of 100 emails/second to test the
performance of bro. The size of the attachment is random between a few KBs
to 8MB. I was running bro cluster using pf_ring as load balance and
launching 20 workers pinned on different CPU. The average network bandwidth
is about 200M - 300M. I observed significant slow to get smtp requests
showing in the log. The CPU usage is pretty high(100% for every cpu I
pinned) and is busy doing memcpy in BroString.cc:concatenate. After a few
minutes, I can see a significant drop in the statistic of pf_ring.

Is there any suggestion how can I cope with this traffic?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170321/46127950/attachment.html 

More information about the Bro mailing list