[Bro] Custom event handler script generates heavy CPU load with Bro 2.5.5 (PF_RING)
Seth Hall
seth at corelight.com
Wed Oct 24 07:38:25 PDT 2018
Hi Elena,
I think you're conflating two potential problems.
- Is handling the mime_all_data event causing overload?
- Is PF_Ring working correctly?
If you take your script out of the picture are you still seeing 100% cpu
utilization?
.Seth
On 22 Oct 2018, at 11:09, Elena Bykovchenko wrote:
> Hello. I have a script which defines a custom handler on mime_data
> event:
>
> event mime_all_data (c: connection, length: count, data: string)
> {
> // do stuff
> }
>
> When this script is ran with capturing traffic in PF_RING mode using
> lb_procs=2, Bro processes consume 100% of both pinned CPU cores. This
> is not the case when capturing without PF_RING in single process mode
> though. What are possible reasons for this? Can it be optimized on the
> script side? What can be done to lower the CPU
> usage?_______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list