[Bro] Bro 2.5 CPU usage

Dave Crawford bro at pingtrip.com
Fri Nov 25 09:34:43 PST 2016 

Thanks again Justin, the CPU now sits down around 3% on extremely low traffic links.
 
> On Nov 25, 2016, at 11:59 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> 
> Bro doesn't do a great job of using low amounts of CPU at low data rates - it's more tweaked for a constant packet rate.
> 
> I use the following patch at home (it applies on 2.4-2.5) which reduces cpu quite a bit when traffic rates are extremely low
> 
> --- a/bro-2.4/src/iosource/Manager.cc
> +++ b/bro-2.4/src/iosource/Manager.cc
> @@ -137,7 +137,7 @@
> 		// decrease CPU load. I guess that's because it allows
> 		// the kernel's packet buffers to fill. - Robin
> 		timeout.tv_sec = 0;
> -		timeout.tv_usec = 20; // SELECT_TIMEOUT;
> +		timeout.tv_usec = 2000; // SELECT_TIMEOUT;
> 		select(0, 0, 0, 0, &timeout);
> 		}
> 
> --- a/bro-2.4/src/Net.cc
> +++ b/bro-2.4/src/Net.cc
> @@ -359,7 +359,7 @@
> 			if ( ! communication_enabled )
> 				usleep(100000);
> 			else
> -				usleep(1000);
> +				usleep(10000);
> 
> 			// Flawfinder says about usleep:
> 			//
> --- a/bro-2.4/src/threading/MsgThread.cc
> +++ b/bro-2.4/src/threading/MsgThread.cc
> @@ -234,7 +234,7 @@
> 			}
> 
> 		if ( ! Killed() )
> -			usleep(1000);
> +			usleep(10000);
> 		}
> 
> 	signal_val = old_signal_val;
> 
> 
> -- 
> - Justin Azoff
> 
>> On Nov 25, 2016, at 11:45 AM, Dave Crawford <bro at pingtrip.com> wrote:
>> 
>> I finally had an opportunity to install a Bro 2.5 cluster in the lab for review and was surprised to see a higher CPU usage than 2.4 deployments.
>> 
>> A clean install with (w/ PF_RING)  never drops below 25% CPU per worker at idle, meaning I’ve disabled the SPAN traffic and Bro stays at 25%.
>> 
>> I then went as far as disabling every default script except for the following:
>> 
>> @load misc/loaded-scripts
>> @load tuning/defaults
>> @load misc/capture-loss
>> @load misc/profiling.bro
>> @load misc/stats
>> 
>> And the CPU remains at 25%. 
>> 
>> Has anyone experienced similar results with 2.5?
>> 
>> -Dave
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list