High CPU Usage

Hi, everyone

I’m facing an issue regarding a high CPU usage in a Zeek machine, this cause packets dropped whenever a core reach 100% usage. We always have 1 core at 100% load and the others are around 60-80%

Name Type Host Pid VSize Rss Cpu

logger logger localhost 4666 2G 121M 53%

manager manager localhost 4712 584M 114M 40%

proxy-1 proxy localhost 4757 639M 148M 20%

worker-1-1 worker localhost 4934 884M 393M 53%

worker-1-2 worker localhost 4893 1G 596M 73%

worker-1-3 worker localhost 4890 1G 592M 80%

worker-1-4 worker localhost 4895 887M 395M 46%

worker-1-5 worker localhost 4935 4G 3G 106%

worker-1-6 worker localhost 4901 877M 385M 40%

worker-1-7 worker localhost 4911 1G 581M 66%

worker-1-8 worker localhost 4906 879M 389M 40%

worker-1-9 worker localhost 4937 1G 576M 80%

worker-1-10 worker localhost 4920 881M 391M 46%

We have the next specifications :

-x 1Intel Xeon E-2136 3.3GHz, 12M cache, 6C/12T, turbo (80W)


  • And we are using PF_Ring to balance de traffic.

The traffic that this Zeek manage is about 1,5GB/s with peaks of 2,5 at max.

We don’t know if this is a normal behavior or we need more Hardware to manage this amount of traffic or something that we have bad in the configuration.

The node.cfg is the next one:

















We have been testing different solutions posted before but nothing seems to take effect.

I hope you can help me improve this. Also, is there a way to reduce the amount of CPU that Zeek use? For example disabling some scripts or something like that?

Thank you all.

Best Regards!

Jorge García Rodríguez
Technical Consultant
Security Infrastructures

Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580 Fax: +34 91 307 79 80

delivering value

This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.

No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.