[Bro] Bro load with no traffic
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Oct 19 13:03:05 PDT 2018
What Jon said.
There was a patch from Justin that lowered the load for embedded systems. It’s not really an issue on most / any production systems I’ve seen.
> On Oct 19, 2018, at 12:13 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Thanks Jon, makes sense now.
> I will see if we would want to deep dive into finding out what exactly causing the load. :)
>
> Fatema.
>
>> On Thu, Oct 18, 2018 at 6:26 PM Jon Siwek <jsiwek at corelight.com> wrote:
>> On Thu, Oct 18, 2018 at 10:01 AM fatema bannatwala
>> <fatema.bannatwala at gmail.com> wrote:
>> >
>> > Does anyone know why Bro would be using resources when no traffic flowing to the sensor?
>>
>> Currently, Bro's main loop never completely idles in absence of input,
>> so something on the order of 5% cpu usage in absence of network
>> traffic might still be "normal". Also note that that packets aren't
>> the only input source. As an example, if you shut off traffic
>> suddenly, but had a large backlog of Broker messages or continues to
>> send/recv remote messages, that could be processing resources that Bro
>> continues to use for some time. The event engine also continues on
>> with any scheduled events, etc.
>>
>> So not particularly unexpected to hear there's some load in absence of
>> packets, but hard to say specifically what causes the load in this
>> case -- you may need to profile/trace if you're really interested.
>>
>> - Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181019/7ec7ded1/attachment.html
More information about the Bro
mailing list