[Bro] Bro 2.5 CPU usage

Michael Shirk shirkdog.bsd at gmail.com
Fri Nov 25 09:43:48 PST 2016 

Is this something worthy of a feature request for low bandwidth setups?

In addition to something like this, I have to do a patch for very low
network traffic with bro cron reporting network traffic has stopped on the
monitoring interface.

--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Nov 25, 2016 12:17 PM, "Dave Crawford" <bro at pingtrip.com> wrote:

> Thanks Justin, The patch should be perfect for home/lab deployments. A
> tight ‘select loop’ looks like the exact culprit:
>
> % time     seconds  usecs/call     calls    errors syscall
> ------ ----------- ----------- --------- --------- ----------------
>  63.26    0.053786           0    307412           select
>  36.74    0.031237           0    153591           nanosleep
>   0.00    0.000000           0       157       127 read
>   0.00    0.000000           0       153           write
>   0.00    0.000000           0         2           stat
>   0.00    0.000000           0        16           kill
>   0.00    0.000000           0         8           getrusage
>   0.00    0.000000           0         1           restart_syscall
> ------ ----------- ----------- --------- --------- ----------------
> 100.00    0.085023                461340       127 total
>
> -Dave
>
> On Nov 25, 2016, at 11:59 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
> Bro doesn't do a great job of using low amounts of CPU at low data rates -
> it's more tweaked for a constant packet rate.
>
> I use the following patch at home (it applies on 2.4-2.5) which reduces
> cpu quite a bit when traffic rates are extremely low
>
> --- a/bro-2.4/src/iosource/Manager.cc
> +++ b/bro-2.4/src/iosource/Manager.cc
> @@ -137,7 +137,7 @@
> // decrease CPU load. I guess that's because it allows
> // the kernel's packet buffers to fill. - Robin
> timeout.tv_sec = 0;
> - timeout.tv_usec = 20; // SELECT_TIMEOUT;
> + timeout.tv_usec = 2000; // SELECT_TIMEOUT;
> select(0, 0, 0, 0, &timeout);
> }
>
> --- a/bro-2.4/src/Net.cc
> +++ b/bro-2.4/src/Net.cc
> @@ -359,7 +359,7 @@
> if ( ! communication_enabled )
> usleep(100000);
> else
> - usleep(1000);
> + usleep(10000);
>
> // Flawfinder says about usleep:
> //
> --- a/bro-2.4/src/threading/MsgThread.cc
> +++ b/bro-2.4/src/threading/MsgThread.cc
> @@ -234,7 +234,7 @@
> }
>
> if ( ! Killed() )
> - usleep(1000);
> + usleep(10000);
> }
>
> signal_val = old_signal_val;
>
>
> --
> - Justin Azoff
>
> On Nov 25, 2016, at 11:45 AM, Dave Crawford <bro at pingtrip.com> wrote:
>
> I finally had an opportunity to install a Bro 2.5 cluster in the lab for
> review and was surprised to see a higher CPU usage than 2.4 deployments.
>
> A clean install with (w/ PF_RING)  never drops below 25% CPU per worker at
> idle, meaning I’ve disabled the SPAN traffic and Bro stays at 25%.
>
> I then went as far as disabling every default script except for the
> following:
>
> @load misc/loaded-scripts
> @load tuning/defaults
> @load misc/capture-loss
> @load misc/profiling.bro
> @load misc/stats
>
> And the CPU remains at 25%.
>
> Has anyone experienced similar results with 2.5?
>
> -Dave
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161125/e7403200/attachment.html

More information about the Bro mailing list