[Bro] Bro load with no traffic

[fatema bannatwala]

Does anyone know why Bro would be using resources when no traffic flowing
to the sensor?
Recently we  were having some ECC errors on one of our sensors and turned
off the traffic to that sensor for troubleshooting purposes.
Noticed that the load was pretty high (~7) on that sensor, and was
wondering what Bro must be doing that would cause that load, shouldn't it
be just waiting for the packets without using much cpu/memory resources on
the box?

Stats when no traffic flowing to the sensor, bro processes running because
of cron on manager kicking the bro processes on the workers:

$ top
top - 12:18:17 up 13 days, 19:12,  2 users, * load average: 6.72, 7.05,
7.34*
Tasks: 555 total,   9 running, 546 sleeping,   0 stopped,   0 zombie
%Cpu(s):  9.7 us,  5.7 sy,  0.0 ni, 84.5 id,  0.0 wa,  0.0 hi,  0.1 si,
0.0 st
KiB Mem : 13191564+total, 95957600 free, 32708392 used,  3249652 buff/cache
KiB Swap:  8388600 total,  8388600 free,        0 used. 98285016 avail Mem


When the traffic was turned back on, load average:
$ top
top - 10:39:52 up 1 day, 19:02,  2 users,  load average: 12.89, 12.89, 12.82
Tasks: 551 total,  11 running, 540 sleeping,   0 stopped,   0 zombie
%Cpu(s): 20.9 us,  6.1 sy,  0.1 ni, 72.4 id,  0.0 wa,  0.0 hi,  0.5 si,
0.0 st
KiB Mem : 11540057+total, 59135456 free, 52346920 used,  3918204 buff/cache
KiB Swap:  8388600 total,  8388600 free,        0 used. 62253548 avail Mem

Any thoughts? :)

Thanks,
Fatema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181018/b291fb2f/attachment.html