[Bro] Custom event handler script generates heavy CPU load with Bro 2.5.5 (PF_RING)
Elena Bykovchenko
holgrain at protonmail.com
Mon Oct 22 08:09:24 PDT 2018
Hello. I have a script which defines a custom handler on mime_data event:
event mime_all_data (c: connection, length: count, data: string)
{
// do stuff
}
When this script is ran with capturing traffic in PF_RING mode using lb_procs=2, Bro processes consume 100% of both pinned CPU cores. This is not the case when capturing without PF_RING in single process mode though. What are possible reasons for this? Can it be optimized on the script side? What can be done to lower the CPU usage?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181022/9b05d75b/attachment.html
More information about the Bro
mailing list