[Bro] Bro load with no traffic
fatema bannatwala
fatema.bannatwala at gmail.com
Fri Oct 19 12:13:09 PDT 2018
Thanks Jon, makes sense now.
I will see if we would want to deep dive into finding out what exactly
causing the load. :)
Fatema.
On Thu, Oct 18, 2018 at 6:26 PM Jon Siwek <jsiwek at corelight.com> wrote:
> On Thu, Oct 18, 2018 at 10:01 AM fatema bannatwala
> <fatema.bannatwala at gmail.com> wrote:
> >
> > Does anyone know why Bro would be using resources when no traffic
> flowing to the sensor?
>
> Currently, Bro's main loop never completely idles in absence of input,
> so something on the order of 5% cpu usage in absence of network
> traffic might still be "normal". Also note that that packets aren't
> the only input source. As an example, if you shut off traffic
> suddenly, but had a large backlog of Broker messages or continues to
> send/recv remote messages, that could be processing resources that Bro
> continues to use for some time. The event engine also continues on
> with any scheduled events, etc.
>
> So not particularly unexpected to hear there's some load in absence of
> packets, but hard to say specifically what causes the load in this
> case -- you may need to profile/trace if you're really interested.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181019/97ce1700/attachment.html
More information about the Bro
mailing list