[Bro] Version: 2.0-907 -- Bro manager memory exhaustion
Robin Sommer
robin at icir.org
Tue Jul 31 08:11:28 PDT 2012
On Mon, Jul 30, 2012 at 20:57 +0000, you wrote:
> The deployment consists of six servers; one as a manager and the other five
> as nodes. Each node runs 20 workers and 2 proxies. The manager is
> FreeBSD; the workers are Linux with PF_RING transparent_mode=2.
(Note, you don't need 2 proxies per node; it may actually already be
fine to run a single proxy on the manager box).
> After starting bro, the manger continually consumes memory until system
> exhaustion (64GB). The CPU usage is high as well.
That's not a good sign for the manager ... It's possible that we have
a memory leak in there. Has it worked better with 2.0? (If you have
tried that?)
> Another problem is over 50% of the workers consume 100% CPU. This is very
> odd considering the low volume traffic between 400-1000 Mbps per node.
So that's 400-1000 Mbps divided by 20 workers processes? I'll let
other's chime in here, not really sure what to expect with PF_RING in
that setup.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list