Hi, everyone
we have a problem with the performance of zeek.
We have tested Zeek’s performance in lab environment with a traffic generator, it seems that Zeek’s performance is not good as we expected.
The zeek sensor is installed in a server with 16 cores (32vCPU) -2.2Ghz, 128G RAM.
The traffic generator makes the http traffic with a 4KB size webpage.
The zeek sensor used 30 worker(each worker pinned to a vCPU), and we also implemented pf_ring ZC to accelerate it.
And the zeek version is native v4.2.
When the traffic arrives 14,000connection/s (the traffic is less than 1Gbps),all the CPU usage reached about 80% or more. It seems that a single zeek worker can only process less than 500 new connections per second.
And we also tested in 1 zeek worker to verify it, and found that its peak process was actually about 500 connection/s (1 zeek worker with a vCPU).
We don’t know if there are anything wrong in our test seniors. But compared with suricata, zeek’s performance is very low. We also set a suricata sensor in the same server, and suricata can process over 60,000 connection/s with 20000 signatures
And we make much efforts to improve it, but it doesn’t work. Is there any methods to improve it ?
Thanks a lot.