[Bro] Bro Memory Consumtion
Powell, Scott
powellsm at musc.edu
Thu Mar 25 12:45:27 PDT 2010
I recompiled without IPv6 and int64 today and so far my memory footprint is considerably lower, as expected. I will keep an eye on it over the next few days (I have disabled my nightly restart cron) and see how it behaves.
We have just brought IPv6 to our border router and will soon be testing it in the perimeter. Hopefully by the time we get anywhere close to wide spread usage Bro will have better support for it. Wishful thinking, huh? :)
-----Original Message-----
From: Seth Hall [mailto:hall.692 at osu.edu]
Sent: Wednesday, March 24, 2010 9:54 AM
To: Powell, Scott
Cc: Justin Azoff; bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] Bro Memory Consumtion
On Mar 24, 2010, at 9:38 AM, Powell, Scott wrote:
> Yes, I did include '--enable-brov6' because we are getting ready to
> rollout IPv6 in or perimeter and I was also seeing messages from Bro
> that it was not compiled with IPv6 support (via "broctl diag").
Rebuild Bro without brov6 and int64 for now. Currently when you
enable IPv6, all IP addresses consume 128-bits of memory (even IPv4
addresses!). You can see that this is what's happening by looking at
the line in your prof.log that starts with "Conns:". It indicates
that memory consumed just by connection state is over 3G (3372528K).
There has been talk about changing things around so that IPv4
addresses still only take up 32-bits of memory even when IPv6 is
enabled, but I don't know where those discussions ended and I don't
know how difficult of a change that would be to make. Maybe Robin or
Vern will comment on that? :)
The IPv6 code has not been tested all that well either, so it's also
possible that there are some memory leaks or other bugs lurking that
could lead to high memory use.
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list