High cpu when calling lookup_hostname

Pasqualino_Paladino · May 6, 2016, 10:16am

Hello everybody,

I’m using Bro 2.4.1 stable and I developed a script in order to add some information to http.log.

This code snippet attempts to lookup each external hostname that is being contacted by an internal IP.

if(c?$http && c$http?$host && c$http$host != “”){

when (local h = lookup_hostname(c$http$host)){

if (|h|>0 && (0.0.0.0 !in h))

{

c$http$host_ip = h;

Log::write(HTTP::LOG, c$http);

}

return;

}

timeout 2 sec {

return;

}

My problem is that the cores that have been assigned for Bro are using the 100% of the cpu and I guess the problem is caused by when call.

I have tried to install an internal dns cache (Bind9) in order to increase the performance, but, having a 300 mb/s of throughput and setting 2 sec of timeout doesn’t work .

By disabling the script bro has the expected behavior (around 50%-60% of cpu usage).

Is anyone able to help me?

Thanks in advance,

Pasquale

Chiaverini_Christian · May 6, 2016, 12:27pm

It is probably in IO wait on the lookup. Could you run a local caching nameserver? nscd is the easiest to setup but there are others.

Pasqualino_Paladino · May 9, 2016, 1:20pm

The wa percentage seems to be 0% by top command so I guess that is not the problem.

I have installed a local dns cache (Bind) and this seems to have improved a little bit the performance, but bro keeps losing packets due to the “when” call.

Thanks,

Pasquale

Topic		Replies	Views
troubleshooting bro memory usage? Zeek	19	365	May 6, 2022
A more parallel Bro Zeek	2	46	May 6, 2022
Hardware Experience Zeek	2	55	May 6, 2022
Using Bro to detect DNS lookups in given timeframe Zeek	2	53	May 6, 2022
Implementing a new script Zeek	2	60	May 6, 2022

High cpu when calling lookup_hostname

Related Topics