[Bro] Bro performance issues

Tomer Teller djteller at gmail.com
Tue Nov 1 01:26:20 PDT 2011

I installed Bro 2.0-beta on my machine.
I have to say that it was quick, easy and without any problems :)

I removed libpcap0.8 before the installation, installed PF_RING along with
libpcap-1.1.1-ring which BRO is now using.

libpcap.so.1 => /usr/local/lib/libpcap.so.1
libpfring.so => /usr/local/lib/libpfring.so

I configured the node.cfg and added:
1 manager
1 proxy
2 workers  - sniffing the same interface
* All the nodes are on the same localhost

I'm replaying a big pcap file with 680000 packets and expecting to see some
load-balancing between the 2 nodes (that are running on different cores).

I am using the 'netstats' command in broctl and expecting to see that half
(or at least some) of the traffic goes to worker-1 and the rest to worker-2
(i.e. The sum of both workers packet received = 680000 ~)

I see that worker-1 took everything.
worker-1: 1320163523.794836 recvd=638311 dropped=31948 link=670259

And i'm assuming that worker-2 also got everything (duplicate).

How do I load-balance between the two workers on the same machine?

Also I noticed minor bugs:

[BroControl] > netstats
  worker-3: <error: cannot connect to>

[BroControl] > scripts
proxy-1 is ok.
  cat: loaded_scripts*: No such file or directory
worker-1 is ok.
  cat: loaded_scripts*: No such file or directory
worker-3 is ok.
  cat: loaded_scripts*: No such file or directory

On Mon, Oct 31, 2011 at 7:33 PM, Seth Hall <seth at icir.org> wrote:

> On Oct 31, 2011, at 1:08 PM, Tomer Teller wrote:
> > Do you mean PF_RING with front-end solution such as click router?
> > Is it possible to run everything on a single machine?
> Martin is referring to clustering in PF_RING.  It will split your traffic
> into bidirectional flows within your kernel and it easy to configure with
> Bro 2.0-beta (I wouldn't try it with 1.5, it would be a bit of a mess).  If
> you're running with broctl it will mostly just work with PF_RING out of the
> box including clustering, you just need to make sure you're building
> against the correct libpcap using PF_RING's libpcap wrapper and then all of
> your workers you configure in broctl's node.cfg file should sniff the same
> interface.
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111101/c4695933/attachment.html 

More information about the Bro mailing list