[Zeek] Workers occasionally using 102% CPU
Justin Azoff
justin at corelight.com
Thu Feb 20 15:19:12 PST 2020
On Thu, Feb 20, 2020 at 5:06 PM Pete Nelson <petiepooo at gmail.com> wrote:
> I'm seeing an interesting problem on zeek 3.0.1 (running stock
> SecurityOnion sensor setup) where the main thread suddenly spikes to 100%
> CPU and stays there.
>
Could be an elephant flow...
> Any ideas what might be wrong? Any suggestions for further diagnosis?
> These are in production, so I can't do too much other than a restart and an
> occasional strace. I cannot reproduce in lab conditions.
>
Use perf! Start with this:
sudo perf record -C 3 -g -F199 --call-graph dwarf sleep 30
where 3 is the cpu core that worker is running on (zero indexed)
Then run
sudo perf script |c++filt > perf.out
Then process that with https://github.com/brendangregg/FlameGraph or even
better https://github.com/Netflix/flamescope
You may be able to skip all that and just run
sudo perf top -C 3 -F199
to see what is going on, but recording helps if it's hard to catch or if
you want to automate it.
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200220/e197fdd0/attachment.html
More information about the Zeek
mailing list