I’m seeing ~6% CPU utilization on workers, with no traffic. Is that expected? Is there any way to minimize the CPU load?
Using AF_PACKET plugin. The cores are isolated using “isolcpus”, so nothing else should be running on them. Workers are pinned to the CPUs in the
[worker-1]
type=worker
host=localhost
interface=af_packet::eth1
lb_method=custom
lb_procs=14
pin_cpus=1,2,3,4,5,6,7,9,10,11,12,13,14,15
~Ed
I have a fork of 2.5 that may help. It’s intended to minimize CPU load on sensors that see low volume/sensor-local traffic. Check out the most recent commits, shout out to Justin for the basis of the tweaks. https://github.com/JonZeolla/bro/tree/topic/jonzeolla/low-volume
Jon
Thanks Jon. I’ll take a look. I should clarify.
I’m working on a multi-tenant solution with Bro, Docker, and SR-IOV. The plan is to support 10Gbps+, with VLANs as the dividers for tenants. The containerized Bro is working and I’m able to run multiple Bro instances for multiple tenants. However, when I start additional Bro containers, they each consume 6% CPU (12% for 2, 18% for 3, etc).
Would the usleep patch still apply to a high-throughput solution?