[Bro-Dev] Performance Issues after the fe7e1ee commit?

McMullan, Tim Tim.McMullan at sig.com
Wed Jun 6 09:54:28 PDT 2018

We are running into performance issues (30x slower) since the Broker patch (fe7e1ee) -

We have 40G connections tapped from our storage filers feeding multiple Bro instances which analyze specifically only NFS and SMB traffic; all other analyzers are disabled.  With the broker patch we are seeing processing times for a ~1GB pcap jump from around 2 seconds to over  1 minute. Profiling Bro, it looks like the culprit is the new Actor functions --

# Before patch
Overhead  Shared Object          Symbol
14.57%  [kernel]              [k] copy_user_enhanced_fast_string
   3.20%  bro                   [.] EventHandler::operator bool
   2.99%  bro                   [.] _siphash
   2.89%  bro                   [.] Dictionary::Lookup

# After patch
Overhead  Shared Object          Symbol
   5.71%  [kernel]               [k] native_write_msr_safe
   3.84%  libcaf_core.so.0.15.7  [.] caf::scheduler::worker<caf::policy::work_stealing>::run
   3.71%  libcaf_core.so.0.15.7  [.] caf::detail::double_ended_queue<caf::resumable>::take_head
   3.29%  [kernel]               [k] _raw_spin_lock

Is the Bro development team still optimizing the Broker/Actor framework? It might be helpful to have a way to disable Broker for those of us who haven't migrated to it yet.

#  ~1GB file time (old)
$ time /hostname/bro-devel/bin/bro -r 20180606-1049-prodfilers-truncated_00000_20180606104904.pcap  master.bro

real    0m2.294s
user    0m1.862s
sys     0m0.385s

#  ~1GB file time  (new)
$ time /hostname/bro-devel/bin/bro -r 20180606-1049-prodfilers-truncated_00000_20180606104904.pcap master.bro

real    1m11.458s
user    0m58.933s
sys     1m34.074s



IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180606/dbb38bfb/attachment.html 

More information about the bro-dev mailing list