<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText">Hello Everyone,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I am reaching out with the hope that someone will be able to help us with an issue we are having with Bro upgrade from 2.4.1 to 2.5.X.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">We have a system with 12 core (3Ghz) ,128GB RAM, and 10G NIC (Intel X520-SR2 10GbE Dual-port), monitoring between 1.5 - 2.5 Gbps traffic.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Bro 2.4.1 is working great and periodically drops 2-5% when traffic peaks at ~ 2.5. However, when we upgrade to Bro 2.5.3/4 on the same exact system the drops go up to 90%.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">We are using CentOS-7 and tired installing Bro and Pfring from both rpm and source without any luck. I wonder if anyone has seen this issue and can give some clues to resolve this issue.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>Bro Node Conf: <o:p></o:p></b></p>
<p class="MsoPlainText">[manager]<o:p></o:p></p>
<p class="MsoPlainText">type=manager<o:p></o:p></p>
<p class="MsoPlainText">host=localhost<o:p></o:p></p>
<p class="MsoPlainText">#<o:p></o:p></p>
<p class="MsoPlainText">[proxy-1]<o:p></o:p></p>
<p class="MsoPlainText">type=proxy<o:p></o:p></p>
<p class="MsoPlainText">host=localhost<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">#<o:p></o:p></p>
<p class="MsoPlainText">[worker-1]<o:p></o:p></p>
<p class="MsoPlainText">type=worker<o:p></o:p></p>
<p class="MsoPlainText">host=localhost<o:p></o:p></p>
<p class="MsoPlainText">interface=ens1f1<o:p></o:p></p>
<p class="MsoPlainText">lb_method=pf_ring<o:p></o:p></p>
<p class="MsoPlainText">lb_procs=11<o:p></o:p></p>
<p class="MsoPlainText">pin_cpus=1,2,3,4,5,6,7,8,9,10,11<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>[root@bro-test ~]# cat /proc/net/pf_ring/info<o:p></o:p></b></p>
<p class="MsoPlainText">PF_RING Version : 7.3.0 (unknown)<o:p></o:p></p>
<p class="MsoPlainText">Total rings : 11<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Standard (non ZC) Options<o:p></o:p></p>
<p class="MsoPlainText">Ring slots : 65534<o:p></o:p></p>
<p class="MsoPlainText">Slot version : 17<o:p></o:p></p>
<p class="MsoPlainText">Capture TX : No [RX only]<o:p></o:p></p>
<p class="MsoPlainText">IP Defragment : No<o:p></o:p></p>
<p class="MsoPlainText">Socket Mode : Standard<o:p></o:p></p>
<p class="MsoPlainText">Cluster Fragment Queue : 0<o:p></o:p></p>
<p class="MsoPlainText">Cluster Fragment Discard : 0<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>[root@bro-test ~]# tailf /opt/bro/logs/current/capture_loss.log<o:p></o:p></b></p>
<p class="MsoPlainText">1535647921.339324 60.000005 worker-1-8 318331 425005 74.900531<o:p></o:p></p>
<p class="MsoPlainText">1535647921.217853 60.000000 worker-1-5 264716 349078 75.832908<o:p></o:p></p>
<p class="MsoPlainText">1535647921.241244 60.000021 worker-1-9 265863 364089 73.021432<o:p></o:p></p>
<p class="MsoPlainText">1535647921.312567 60.000002 worker-1-1 239036 315823 75.686698<o:p></o:p></p>
<p class="MsoPlainText">1535647922.188607 60.000420 worker-1-4 238192 322818 73.785229<o:p></o:p></p>
<p class="MsoPlainText">1535647922.760560 60.000029 worker-1-11 250678 338188 74.12386<o:p></o:p></p>
<p class="MsoPlainText">1535647922.864470 60.000075 worker-1-3 232467 314963 73.807717<o:p></o:p></p>
<p class="MsoPlainText">1535647923.413121 60.000024 worker-1-10 254241 345382 73.611537<o:p></o:p></p>
<p class="MsoPlainText">1535647923.205954 60.001556 worker-1-2 259932 354980 73.224407<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>[root@bro-test ~]# less /opt/bro/logs/current/stats.log | bro-cut ts peer mem pkts_proc bytes_recv pkts_dropped<o:p></o:p></b></p>
<p class="MsoPlainText">1535644801.328981 worker-1-8 2854 3523252 2214563854 8841163<o:p></o:p></p>
<p class="MsoPlainText">1535644801.235592 worker-1-9 2833 3422300 2135680645 9083143<o:p></o:p></p>
<p class="MsoPlainText">1535644801.299138 worker-1-1 2801 3358673 2089659287 9059868<o:p></o:p></p>
<p class="MsoPlainText">1535644802.177016 worker-1-4 2727 3262089 2027645336 9155838<o:p></o:p></p>
<p class="MsoPlainText">1535644801.187590 worker-1-5 2640 3336190 2085853940 9332917<o:p></o:p></p>
<p class="MsoPlainText">1535644802.750617 worker-1-11 2726 3432674 2153405372 9018943<o:p></o:p></p>
<p class="MsoPlainText">1535644802.853617 worker-1-3 2816 3448836 2161753414 8929662<o:p></o:p></p>
<p class="MsoPlainText">1535644803.186853 worker-1-2 2659 3387742 2116043509 9176871<o:p></o:p></p>
<p class="MsoPlainText">1535644803.395256 worker-1-10 2871 3407486 2132043052 9049047<o:p></o:p></p>
<p class="MsoPlainText">1535644803.403778 worker-1-7 2821 3278503 2023604941 9966347<o:p></o:p></p>
<p class="MsoPlainText">1535644850.898433 manager 2340 0 0 -<o:p></o:p></p>
<p class="MsoPlainText">1535644804.257320 proxy-1 73 0 0 -<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>[root@bro-test logs]# broctl netstats<o:p></o:p></b></p>
<p class="MsoPlainText">worker-1-1: 1535651356.794609 recvd=3501813131 dropped=3589205826 link=3501813131<o:p></o:p></p>
<p class="MsoPlainText">worker-1-2: 1535651358.808626 recvd=4033892471 dropped=3057179730 link=4033892471<o:p></o:p></p>
<p class="MsoPlainText">worker-1-3: 1535651358.587316 recvd=3930325145 dropped=3160768660 link=3930325145<o:p></o:p></p>
<p class="MsoPlainText">worker-1-4: 1535651357.702299 recvd=3561053809 dropped=3530086444 link=3561053809<o:p></o:p></p>
<p class="MsoPlainText">worker-1-5: 1535651357.650359 recvd=3399338460 dropped=3691836209 link=3399338460<o:p></o:p></p>
<p class="MsoPlainText">worker-1-6: 1535651334.912244 recvd=3714154738 dropped=3376978237 link=3714154738<o:p></o:p></p>
<p class="MsoPlainText">worker-1-7: 1535651359.119492 recvd=3684804437 dropped=3406432666 link=3684804437<o:p></o:p></p>
<p class="MsoPlainText">worker-1-8: 1535651359.668621 recvd=4020016563 dropped=3071265083 link=4020016563<o:p></o:p></p>
<p class="MsoPlainText">worker-1-9: 1535651359.867601 recvd=3807658264 dropped=3283669188 link=3807658264<o:p></o:p></p>
<p class="MsoPlainText">worker-1-10: 1535651359.749253 recvd=3703077938 dropped=3388277853 link=3703077938<o:p></o:p></p>
<p class="MsoPlainText">worker-1-11: 1535651359.907420 recvd=4052516305 dropped=3038874387 link=4052516305<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>nload output for capture NIC:<o:p></o:p></b></p>
<p class="MsoPlainText"><img width="1318" height="504" id="Picture_x0020_1" src="cid:image001.png@01D4407C.0E3A9670"><o:p></o:p></p>
<p class="MsoPlainText">Jawad Rajput <o:p></o:p></p>
<p class="MsoPlainText">System Administrator<o:p></o:p></p>
<p class="MsoPlainText">U.S. Department of Energy <o:p></o:p></p>
<p class="MsoPlainText">IM-62 /Germantown Building<o:p></o:p></p>
<p class="MsoPlainText">HQ Network Security Team<o:p></o:p></p>
<p class="MsoPlainText">Email: <a href="mailto:Jawad.Rajput@hq.doe.gov">Jawad.Rajput@hq.doe.gov</a><o:p></o:p></p>
<p class="MsoPlainText">Office: 301-903-2176<o:p></o:p></p>
<p class="MsoPlainText">Office: 301-903-3895<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</body>
</html>