[Bro-Dev] Performance Issues after the fe7e1ee commit?
McMullan, Tim
Tim.McMullan at sig.com
Wed Jun 6 09:54:28 PDT 2018
We are running into performance issues (30x slower) since the Broker patch (fe7e1ee) -
We have 40G connections tapped from our storage filers feeding multiple Bro instances which analyze specifically only NFS and SMB traffic; all other analyzers are disabled. With the broker patch we are seeing processing times for a ~1GB pcap jump from around 2 seconds to over 1 minute. Profiling Bro, it looks like the culprit is the new Actor functions --
# Before patch
Overhead Shared Object Symbol
14.57% [kernel] [k] copy_user_enhanced_fast_string
3.20% bro [.] EventHandler::operator bool
2.99% bro [.] _siphash
2.89% bro [.] Dictionary::Lookup
# After patch
Overhead Shared Object Symbol
5.71% [kernel] [k] native_write_msr_safe
3.84% libcaf_core.so.0.15.7 [.] caf::scheduler::worker<caf::policy::work_stealing>::run
3.71% libcaf_core.so.0.15.7 [.] caf::detail::double_ended_queue<caf::resumable>::take_head
3.29% [kernel] [k] _raw_spin_lock
Is the Bro development team still optimizing the Broker/Actor framework? It might be helpful to have a way to disable Broker for those of us who haven't migrated to it yet.
# ~1GB file time (old)
$ time /hostname/bro-devel/bin/bro -r 20180606-1049-prodfilers-truncated_00000_20180606104904.pcap master.bro
real 0m2.294s
user 0m1.862s
sys 0m0.385s
# ~1GB file time (new)
$ time /hostname/bro-devel/bin/bro -r 20180606-1049-prodfilers-truncated_00000_20180606104904.pcap master.bro
real 1m11.458s
user 0m58.933s
sys 1m34.074s
Thanks!
--Tim
________________________________
IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180606/dbb38bfb/attachment.html
More information about the bro-dev
mailing list