[Zeek] Workers occasionally using 102% CPU

Justin Azoff justin at corelight.com
Thu Feb 20 15:19:12 PST 2020


On Thu, Feb 20, 2020 at 5:06 PM Pete Nelson <petiepooo at gmail.com> wrote:

> I'm seeing an interesting problem on zeek 3.0.1 (running stock
> SecurityOnion sensor setup) where the main thread suddenly spikes to 100%
> CPU and stays there.
>

Could be an elephant flow...


> Any ideas what might be wrong?  Any suggestions for further diagnosis?
> These are in production, so I can't do too much other than a restart and an
> occasional strace.  I cannot reproduce in lab conditions.
>

 Use perf!  Start with this:

    sudo perf record -C 3 -g -F199 --call-graph dwarf sleep 30

where 3 is the cpu core that worker is running on (zero indexed)

Then run

    sudo perf script |c++filt  > perf.out

Then process that with https://github.com/brendangregg/FlameGraph or even
better https://github.com/Netflix/flamescope

You may be able to skip all that and just run

    sudo perf top -C 3 -F199

to see what is going on, but recording helps if it's hard to catch or if
you want to automate it.

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200220/e197fdd0/attachment.html 


More information about the Zeek mailing list