measuring zeek's performance

Dear Zeek-devs,
I think it is a common experience to need to evaluate zeek’s performance according to different customizations at the script level, when using an event rather than another or a new plugin. Obviously this heavily depends on the traffic zeek is analyzing. But it would be of great help if there were a tool which could count the amount of time zeek has spent on certain events/plugins when analyzing traffic. Is something like this available?

Thanks in advance.
Mauro

The attached may prove useful. The contents are:

  1. instrument.sh - awk script that takes a bro script in stdin & outputs the script with instrumentation added. It does a passable job of adding instrumentation to entry & exits of functions/events/hooks, although at times there is manual fixup required. To do an exact job would require a full bro language parser, which was more than I wanted to tackle (although in a fit of experimentation, I did once write a recursive descent compiler-compiler in awk)
  2. Instrument.bro - which prints timestamps upon function entry & exit (for production use, this probably needs to be a logfile). This needs to be @load’ed before the bro scripts that you’ve instrumented. By processing the log & matching up the function calls, the elapsed time in the function can be calculated. This could also be expanded to record memory usage before & after, if that is of interest.
    I never got around to productionizing this, but hopefully it will be of interest…

Hope this helps,

Jim

instrument.tar (6 KB)