We are running into performance issues (30x slower) since the Broker patch (fe7e1ee) -
We have 40G connections tapped from our storage filers feeding multiple Bro instances which analyze specifically only NFS and SMB traffic; all other analyzers are disabled. With the broker patch we are seeing processing times for a ~1GB pcap jump from around 2 seconds to over 1 minute. Profiling Bro, it looks like the culprit is the new Actor functions -- # Before patch Overhead Shared Object Symbol 14.57% [kernel] [k] copy_user_enhanced_fast_string 3.20% bro [.] EventHandler::operator bool 2.99% bro [.] _siphash 2.89% bro [.] Dictionary::Lookup # After patch Overhead Shared Object Symbol 5.71% [kernel] [k] native_write_msr_safe 3.84% libcaf_core.so.0.15.7 [.] caf::scheduler::worker<caf::policy::work_stealing>::run 3.71% libcaf_core.so.0.15.7 [.] caf::detail::double_ended_queue<caf::resumable>::take_head 3.29% [kernel] [k] _raw_spin_lock Is the Bro development team still optimizing the Broker/Actor framework? It might be helpful to have a way to disable Broker for those of us who haven't migrated to it yet. # ~1GB file time (old) $ time /hostname/bro-devel/bin/bro -r 20180606-1049-prodfilers-truncated_00000_20180606104904.pcap master.bro real 0m2.294s user 0m1.862s sys 0m0.385s # ~1GB file time (new) $ time /hostname/bro-devel/bin/bro -r 20180606-1049-prodfilers-truncated_00000_20180606104904.pcap master.bro real 1m11.458s user 0m58.933s sys 1m34.074s Thanks! --Tim ________________________________ IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
