Custom event handler script generates heavy CPU load with Bro 2.5.5 (PF_RING)

Elena_Bykovchenko · October 22, 2018, 3:09pm

Hello. I have a script which defines a custom handler on mime_data event:

event mime_all_data (c: connection, length: count, data: string)

{

// do stuff

}

When this script is ran with capturing traffic in PF_RING mode using lb_procs=2, Bro processes consume 100% of both pinned CPU cores. This is not the case when capturing without PF_RING in single process mode though. What are possible reasons for this? Can it be optimized on the script side? What can be done to lower the CPU usage?

Seth_Hall2 · October 24, 2018, 2:38pm

Hi Elena,

I think you're conflating two potential problems.

- Is handling the mime_all_data event causing overload?
- Is PF_Ring working correctly?

If you take your script out of the picture are you still seeing 100% cpu utilization?

.Seth

Topic		Replies	Views
Duplicate log entries for events Zeek	3	150	May 6, 2022
loading modules and automatically using custom scripts Zeek	1	77	May 6, 2022
Question about creating custom conn logs. Zeek	2	54	May 6, 2022
icmp events (custom and original) not firing? Zeek	3	84	May 6, 2022
event q. Zeek	1	69	May 6, 2022

Custom event handler script generates heavy CPU load with Bro 2.5.5 (PF_RING)

Related Topics