Hi All,
We are performing a benchmark to quantify the cpu usages of our bro deployment. We setup a testbed, two hosts are connected by a switch, and third host is running the bro and inspecting the traffic by port mirroring.
Bro is running with the cluster mode, and the pf_ring is enabled to utilized the dual cores. We use iperf to send traffic with controlled target bandwidth to investigate the cpu usages of bro’s processes.
We see two workers’ processes ($~bro/bin/bro -i eth -U .status -p broctl …) typically run at cpu usage of 20% - 25% at each core, which is consistent with some previous discussion. When we run the benchmark, with the increase of transmission rates, we see the cpu usages of workers’ processes are increasing, which is reasonable.
The question is that sometimes we see a significant increase (60%~70%) from cpu usages from two loggers’ processes ($~bro/bin/bro -U .status -p broctl … logger …). How we should understand the resources consumed by the loggers? For our case, what is the reasonable approach to evaluate Bro’s cpu usage?
Thanks for your comments!
Bro is running with the cluster mode, and the pf_ring is enabled to
utilized the dual cores. We use iperf to send traffic with controlled
target bandwidth to investigate the cpu usages of bro's processes.
That's not a good way to test Bro performance unless iperf traffic is what will be monitored when you move to operational use. Since Bro is so heavily centered around packet parsing and logging you are just overwhelming certain areas of Bro and not even executing other areas of it.
The question is that sometimes we see a significant increase (60%~70%) from
cpu usages from two loggers' processes ($~bro/bin/bro -U .status -p broctl
... logger ...). How we should understand the resources consumed by the
loggers? For our case, what is the reasonable approach to evaluate Bro's
cpu usage?
Those two logger processes you are seeing are actually a parent and child. The child does the socket communication with the other Bro processes and the parent is the Bro process. You will see increased cpu utilization from the logger as more logs are written. The next question that is brought up is what logs are being written. It's not always easy to guess.
.Seth