[Bro] Muliple processes in Bro

Thu Jul 30 07:03:33 PDT 2015

On Thursday, July 30, 2015, Vito Logrillo <vitologrillo at gmail.com> wrote:

> Hi All,
> i'm testing Bro 2.4 in standalone (no clustered) configuration and
> i've seen a strange behaviour: below the output obtained from "ps -aux
> | grep bro" command
>
> root     16911  0.0  0.0   5544  1524 ?        S    15:08   0:00
> /bin/bash /usr/local/bro/share/broctl/scripts/run-bro -1 -i eth1 -U
> .status -p broctl -p broctl-live -p standalone -p local -p bro
> local.bro broctl br ctl/standalone broctl/auto
> root     16917 58.0  4.4 414584 174960 ?       Rl   15:08   9:54
> /usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p
> standalone -p local -p bro local.bro broctl broctl/standalone
> broctl/auto
> root     16924  0.0  1.3 124700 53848 ?        SN   15:08   0:00
> /usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p
> standalone -p local -p bro local.bro broctl broctl/standalone
> broctl/auto
>
> I don't understand why two processes (pid 16917 and 16924) are
> present: only one process should be present .... or not?
> Regards,
> Vito Logrillo
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <javascript:;>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

That would most probably be supporting threads other than packet processing
thread. I have seen similar behavior in other single-threaded network
packet processing and IDS products.

MP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150730/5c0c24dd/attachment.html 