Does anyone know why Bro would be using resources when no traffic flowing to the sensor?
Recently we were having some ECC errors on one of our sensors and turned off the traffic to that sensor for troubleshooting purposes.
Noticed that the load was pretty high (~7) on that sensor, and was wondering what Bro must be doing that would cause that load, shouldn’t it be just waiting for the packets without using much cpu/memory resources on the box?
Stats when no traffic flowing to the sensor, bro processes running because of cron on manager kicking the bro processes on the workers:
$ top
top - 12:18:17 up 13 days, 19:12, 2 users, load average: 6.72, 7.05, 7.34
Tasks: 555 total, 9 running, 546 sleeping, 0 stopped, 0 zombie
%Cpu(s): 9.7 us, 5.7 sy, 0.0 ni, 84.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem : 13191564+total, 95957600 free, 32708392 used, 3249652 buff/cache
KiB Swap: 8388600 total, 8388600 free, 0 used. 98285016 avail Mem
When the traffic was turned back on, load average:
$ top
top - 10:39:52 up 1 day, 19:02, 2 users, load average: 12.89, 12.89, 12.82
Tasks: 551 total, 11 running, 540 sleeping, 0 stopped, 0 zombie
%Cpu(s): 20.9 us, 6.1 sy, 0.1 ni, 72.4 id, 0.0 wa, 0.0 hi, 0.5 si, 0.0 st
KiB Mem : 11540057+total, 59135456 free, 52346920 used, 3918204 buff/cache
KiB Swap: 8388600 total, 8388600 free, 0 used. 62253548 avail Mem
Any thoughts? 
Thanks,
Fatema