[Zeek] Performance hit with long lived flows

Jon Siwek jsiwek at corelight.com
Fri Apr 10 10:27:03 PDT 2020

On Fri, Apr 10, 2020 at 12:07 AM Nabil Memon <nabilmemon.ec at gmail.com> wrote:

> I haven't explore if schedule routines works in the same main thread??

All script code is currently executed on the main thread.

> If yes, then obviously, this can hold bro's main packet processing thread and we may have a serious damage going through a big list of such table entries.
 But I also thought of scanning in some batches,

Right, there's potential for scripts that do a lot of work at one time
to interfere w/ packet processing and batching the work across time is
a possible solution.  Generalized coroutine support might also make it
a bit easier to structure such batch-and-yield logic, but don't think
there's near-term plans to add that feature.

- Jon

More information about the Zeek mailing list