[Bro] Stand-alone cluster problems
robin at icir.org
Fri Jun 12 16:02:40 PDT 2009
a number of thoughts:
- increasing the BPF buffer sizes is definitly important and should
generally reduce drops.
- the top output shows that the Bro process is actually swapping out
memory to disk:
> PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
> 51061 XXXXXX 1 -20 0 1207M 843M swread 1 606:53 0.00%
Once that happens, pretty much all bets are off regarding drops: the
I/O load will dominate everything else and Bro almost certainly drop
tons of packets.
- the stack backtrace shows a piece of code where we just found a
problem in the version checked into my branch, which has the
potential to cause drops with large tables. I can't tell whether
it's a coincidence or indeed causing trouble in your case. In any
case, I've committed a fix, please update your working copy and
recompile to see whether that makes any difference.
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro