[Zeek] Workers occasionally using 102% CPU

Doug Burks doug.burks at gmail.com
Wed Mar 4 12:15:49 PST 2020


Hi Jon,

Replies inline.

On Wed, Mar 4, 2020 at 3:06 PM Jon Siwek <jsiwek at corelight.com> wrote:

> On Wed, Mar 4, 2020 at 8:36 AM Doug Burks <doug.burks at gmail.com> wrote:
>
> > - I've been able to trigger this issue fairly consistently using VMware
> Workstation with the VM set to 4 processors (seems easier to duplicate when
> using processors rather than cores)
>
> Thanks, I've reproduced with a similar configuration.  First thing I
> notice is `perf top` showing much time spent in
> `threading::Manager::NextTimestamp`, so now off to try and understand
> how it can get into that state.
>

I'm glad you were able to reproduce this!


>
> > (I've also duplicated this behavior using Zeek 3.0.2 compiled manually):
>
> I'm expecting to have to go this way either to add more
> instrumentation or test potential patches, so for consistency, can you
> provide the exact commands used from the point of ./configure until
> point of running/restarting zeek ?
>
>
> - Jon
>

Going off of memory, but it should have been rather standard:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev
python-dev swig zlib1g-dev
./configure
make
sudo make install
modify /usr/local/zeek/etc/node.cfg and configure the standalone stanza to
sniff from the sniffing interface
sudo /usr/local/zeek/bin/zeekctl deploy

Please let me know if you need anything else.

Thanks!

-- 
Doug Burks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/1965c949/attachment.html 


More information about the Zeek mailing list