[Bro] Bro cluster's CPU usage

Shuai Hao haoscs at gmail.com
Sun Nov 5 14:37:08 PST 2017

Hi All,

We are performing a benchmark to quantify the cpu usages of our bro
deployment. We setup a testbed, two hosts are connected by a switch, and
third host is running the bro and inspecting the traffic by port mirroring.

Bro is running with the cluster mode, and the pf_ring is enabled to
utilized the dual cores. We use iperf to send traffic with controlled
target bandwidth to investigate the cpu usages of bro's processes.

We see two workers' processes ($~bro/bin/bro -i eth -U .status -p broctl
...) typically run at cpu usage of 20% - 25% at each core, which is
consistent with some previous discussion. When we run the benchmark, with
the increase of transmission rates, we see the cpu usages of workers'
processes are increasing, which is reasonable.

The question is that sometimes we see a significant increase (60%~70%) from
cpu usages from two loggers' processes ($~bro/bin/bro -U .status -p broctl
... logger ...). How we should understand the resources consumed by the
loggers? For our case, what is the reasonable approach to evaluate Bro's
cpu usage?

Thanks for your comments!
