Module execution


I’m looking to squeeze every bit of performance out of my Bro implementation, and wanted to know:

  1. Is there any over head that be turned off? I’m only looking to capture HTTP, SMTP, and FTP, extract any files in transit, and calculate a SHA1 hash of those files.

  2. Are there any tips for writing fast event code? Are there any known slow moving operations?

  3. Has anyone done any time execution analysis of their code and could share the results?

Thank you as always,


Are you optimizing for a specific piece of hardware? Knowing any constraints there will be helpful as there are some changes that can be made based off of the hardware setup or traffic composition/speeds.


I’m trying to get as close as I can to supporting 10Gbs. I’ve been running upwards of 18 workers supporting 1 10G Intel NIC. As I increase network traffic I’m getting packet loss, and want to explore the code as a bottleneck.