[Bro] Bro 2.5 CPU usage

[Azoff, Justin S]

Bro doesn't do a great job of using low amounts of CPU at low data rates - it's more tweaked for a constant packet rate.

I use the following patch at home (it applies on 2.4-2.5) which reduces cpu quite a bit when traffic rates are extremely low

--- a/bro-2.4/src/iosource/Manager.cc
+++ b/bro-2.4/src/iosource/Manager.cc
@@ -137,7 +137,7 @@
 		// decrease CPU load. I guess that's because it allows
 		// the kernel's packet buffers to fill. - Robin
 		timeout.tv_sec = 0;
-		timeout.tv_usec = 20; // SELECT_TIMEOUT;
+		timeout.tv_usec = 2000; // SELECT_TIMEOUT;
 		select(0, 0, 0, 0, &timeout);
 		}
 
--- a/bro-2.4/src/Net.cc
+++ b/bro-2.4/src/Net.cc
@@ -359,7 +359,7 @@
 			if ( ! communication_enabled )
 				usleep(100000);
 			else
-				usleep(1000);
+				usleep(10000);
 
 			// Flawfinder says about usleep:
 			//
--- a/bro-2.4/src/threading/MsgThread.cc
+++ b/bro-2.4/src/threading/MsgThread.cc
@@ -234,7 +234,7 @@
 			}
 
 		if ( ! Killed() )
-			usleep(1000);
+			usleep(10000);
 		}
 
 	signal_val = old_signal_val;


-- 
- Justin Azoff

> On Nov 25, 2016, at 11:45 AM, Dave Crawford <bro at pingtrip.com> wrote:
> 
> I finally had an opportunity to install a Bro 2.5 cluster in the lab for review and was surprised to see a higher CPU usage than 2.4 deployments.
> 
> A clean install with (w/ PF_RING)  never drops below 25% CPU per worker at idle, meaning I’ve disabled the SPAN traffic and Bro stays at 25%.
> 
> I then went as far as disabling every default script except for the following:
> 
> @load misc/loaded-scripts
> @load tuning/defaults
> @load misc/capture-loss
> @load misc/profiling.bro
> @load misc/stats
> 
> And the CPU remains at 25%. 
> 
> Has anyone experienced similar results with 2.5?
> 
> -Dave
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro