[Bro] question about intel files
Azoff, Justin S
jazoff at illinois.edu
Wed Aug 3 07:24:18 PDT 2016
> On Aug 3, 2016, at 10:03 AM, philosnef <philosnef at yahoo.com> wrote:
>
> total used free shared buffers cached
> Mem: 371336 340383 30952 0 300 111823
> -/+ buffers/cache: 228259 143076
> Swap: 15999 191 15808
>
>
Ah, I think you have been looking at the wrong numbers.
You are only using 228259M, (~222G, not 355G)
111823M is unallocated and currently used for buffer/disk cache.
This amount will always grow until it ends up using almost all the 'free' memory on the machine.
The reason why the OOM killer isn't killing anything is because you still have over 128G of ram free.
I added up all the ram usage from the output of bro top, and adding some overhead for the rounded amounts measured in gigs, came to
56184M.
Minus splunk, that does still leave about 150G unaccounted for.
I believe some of that will be used by packet buffers in the kernel, depending on how you have configured pf_ring.
But even at a huge 1G buffer for each of 20 workers (which I think is much much more than it uses by default) that is only another 20G.
--
- Justin Azoff
More information about the Bro
mailing list