[Bro] Bro load with no traffic
Jon Siwek
jsiwek at corelight.com
Thu Oct 18 15:26:40 PDT 2018
On Thu, Oct 18, 2018 at 10:01 AM fatema bannatwala
<fatema.bannatwala at gmail.com> wrote:
>
> Does anyone know why Bro would be using resources when no traffic flowing to the sensor?
Currently, Bro's main loop never completely idles in absence of input,
so something on the order of 5% cpu usage in absence of network
traffic might still be "normal". Also note that that packets aren't
the only input source. As an example, if you shut off traffic
suddenly, but had a large backlog of Broker messages or continues to
send/recv remote messages, that could be processing resources that Bro
continues to use for some time. The event engine also continues on
with any scheduled events, etc.
So not particularly unexpected to hear there's some load in absence of
packets, but hard to say specifically what causes the load in this
case -- you may need to profile/trace if you're really interested.
- Jon
More information about the Bro
mailing list