[Bro] Significant slow for smtp traffic

duhang darkheaven1983 at gmail.com
Wed Mar 22 04:48:28 PDT 2017


Just find out that it is event smtp_data which causes the slowness. What's
the suggested event to capture smtp body and save it as eml file?

2017-03-21 20:05 GMT+08:00 duhang <darkheaven1983 at gmail.com>:

> Hello,
>
> I am trying to use bro to monitor smtp requests in my network. Before
> putting it to production, I simulated the smtp traffic between clients and
> smtp server using avalanche as the rate of 100 emails/second to test the
> performance of bro. The size of the attachment is random between a few KBs
> to 8MB. I was running bro cluster using pf_ring as load balance and
> launching 20 workers pinned on different CPU. The average network bandwidth
> is about 200M - 300M. I observed significant slow to get smtp requests
> showing in the log. The CPU usage is pretty high(100% for every cpu I
> pinned) and is busy doing memcpy in BroString.cc:concatenate. After a few
> minutes, I can see a significant drop in the statistic of pf_ring.
>
> Is there any suggestion how can I cope with this traffic?
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170322/9961f091/attachment.html 


More information about the Bro mailing list