Node: Performance Tuning, Next: Bulk Traces and Off-line Analysis, Previous: Intrusion Prevention Using Bro, Up: Top
NOTE: This chapter still a rough draft and incomplete
If the link you are monitoring with Bro has too many connections per second, or if you have too many policy modules loaded, it is possible that Bro will not be able to keep up, and that the Bro host will drop too many packets to be able to perform accurate analysis.
A "rule of thumb" for Bro is that if CPU usage is < 50% and memory use is < 70% of physical memory, than you should not have any worries.
Otherwise you might want to explore the tuning options below.
For sites with an extremely high load you might consider using multiple Bro boxes, each configured to capture and analyze different types of traffic.
Note that the amount of CPU required by Bro is a function of both the number of connections/second and the number of packets/second. So it's possible that a large site (e.g., 2,000 hosts) on a slow link (e.g., 100 Mbps) would still have performance issues because it has a very large number of connections / second.