[Bro] A more parallel Bro
Robin Sommer
robin at icir.org
Thu Mar 5 13:38:21 PST 2009
On Wed, Mar 04, 2009 at 10:33 -0600, you wrote:
> I'm going to start analyzing Bro's memory use and performance; do you have
> any recommendations about which policy I use?
Here's a sequence of scripts imposing increasing load on Bro that we
have been using in the past for some of our measurements:
(1) tcp
(2) tcp mt
(3) tcp mt scan trw
(4) tcp mt scan trw udp icmp
(5) tcp mt scan trw udp icmp http-request http-reply http-body http-header
(6) tcp mt scan trw udp icmp http-request http-reply http-body http-header ssh pop3 irc ssl smtp
It's also worth comparing running with the connection compressor vs.
without (use_connection_compressor=T/F). And keep an eye on the
packet filter; it's easy to forget but can have quite an impact on
performance depending on what it lets through and what not.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list