[Bro-Dev] Runtime increases

Siwek, Jon jsiwek at illinois.edu
Sun Jan 18 07:41:20 PST 2015

> On Jan 16, 2015, at 5:39 PM, Robin Sommer <robin at icir.org> wrote:
>> When I measured timing differences caused by adding file reassembly,
>> it was usually around +1%.
> Do you understand where that increase is coming from? Is it indeed
> because Bro is doing additional reassembly work now? In other words,
> it's not overhead incurred on traffic that does't require reassembly?

Roughly: the increase of “default_file_bof_buffer_size” from 1024 to 4096 bytes is significant.  That affects all file analysis, not just what needs reassembling.  This setting changes how much data is copied in to a buffer for use with mime type signature matching.  IIRC, signature matching is a large portion of file analysis cost.

Average timings for 5 runs of `time bro -r ipv6.trace local "Site::local_nets={}”`:

bro/master, default_file_bof_buffer_size=4096
avg real is 9.9484 seconds
avg sys is 0.718 seconds
avg user is 11.3786 seconds

bro/master, default_file_bof_buffer_size=1024
avg real is 9.356 seconds
avg sys is 0.6782 seconds
avg user is 10.9312 seconds

bro/6f2b8cb, default_file_bof_buffer_size=4096
avg real is 10.018 seconds
avg sys is 0.691 seconds
avg user is 11.4358 seconds

bro/6f2b8cb, default_file_bof_buffer_size=1024
avg real is 9.4856 seconds
avg sys is 0.7148 seconds
avg user is 11.1298 seconds

Interesting that for the same default_file_bof_buffer_size, the new version of Bro w/ file reassembly is actually better.

Does that help, or want me to look more in to it?

- Jon

More information about the bro-dev mailing list