[Bro] Bro drop packets while not using CPU at full capacity
Dave Crawford
bro at pingtrip.com
Fri Jun 24 19:50:22 PDT 2016
Is it possible that the CPU has two cores and Bro is consuming 100% of one core? Some tools average the core utilization to report "CPU usage".
> On Jun 24, 2016, at 7:45 PM, Hashem Alaidaros <aidaros.dev at gmail.com> wrote:
>
> Hi All
> I use Bro for my PhD research, I add scripts in Bro and then see the CPU and packet drop rate, using @load stats.bro. I'm using Bro 2.3 with standard libcap.
> I use tcpreplay from Machine A to replay the pre-captured traffic into Bro multi-core machine B through port mirror switch. I replay the traffic from 100 to 1000 Mbps , When reach 200 Mbps and onward, packet start drop and increases. Surprisingly, the CPU is not fully utilized, CPU still 40% usage. What we know is that drop packet resulted from CPU full load, but in our case CPU still less than 50%, so My question, what is the cause of this packet drop? Is it normal?
>
> Best regards
> Aidaros
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list