[Bro] Bro load with no traffic
fatema bannatwala
fatema.bannatwala at gmail.com
Sat Oct 20 08:56:45 PDT 2018
Sweet.. the patch looks interesting to deploy. Thanks!
The load is really not an issue in production for us, as the boxes are
pretty beefy with good amount of resources, which never get utilized to
it's full capacity,
but was just curious to know the reason for the high load when the bro
workers are idle (just wanted to make sure it's not some hardware, ex. ECC
errors of memory, that's going bad) :)
Thanks!
Fatema.
On Fri, Oct 19, 2018 at 4:03 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:
> What Jon said.
>
> There was a patch from Justin that lowered the load for embedded systems.
> It’s not really an issue on most / any production systems I’ve seen.
>
> On Oct 19, 2018, at 12:13 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
> Thanks Jon, makes sense now.
> I will see if we would want to deep dive into finding out what exactly
> causing the load. :)
>
> Fatema.
>
> On Thu, Oct 18, 2018 at 6:26 PM Jon Siwek <jsiwek at corelight.com> wrote:
>
>> On Thu, Oct 18, 2018 at 10:01 AM fatema bannatwala
>> <fatema.bannatwala at gmail.com> wrote:
>> >
>> > Does anyone know why Bro would be using resources when no traffic
>> flowing to the sensor?
>>
>> Currently, Bro's main loop never completely idles in absence of input,
>> so something on the order of 5% cpu usage in absence of network
>> traffic might still be "normal". Also note that that packets aren't
>> the only input source. As an example, if you shut off traffic
>> suddenly, but had a large backlog of Broker messages or continues to
>> send/recv remote messages, that could be processing resources that Bro
>> continues to use for some time. The event engine also continues on
>> with any scheduled events, etc.
>>
>> So not particularly unexpected to hear there's some load in absence of
>> packets, but hard to say specifically what causes the load in this
>> case -- you may need to profile/trace if you're really interested.
>>
>> - Jon
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181020/6f421ace/attachment-0001.html
More information about the Bro
mailing list