[Bro] Bro performance issues

Martin Holste mcholste at gmail.com
Tue Nov 1 07:02:06 PDT 2011


Looks like only one worker is even alive.  There should be no tweaking
necessary to get the load-balancing to occur, so there's a fundamental
problem if it's not happening.  It sounds like you've already got the
installation done, but I have a quick howto here:
ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html.
I would suggest trying a clean install to a different directory and
copying the config files over if you continue to have issues.

On Tue, Nov 1, 2011 at 3:26 AM, Tomer Teller <djteller at gmail.com> wrote:
> I installed Bro 2.0-beta on my machine.
> I have to say that it was quick, easy and without any problems :)
> I removed libpcap0.8 before the installation, installed PF_RING along with
> libpcap-1.1.1-ring which BRO is now using.
> libpcap.so.1 => /usr/local/lib/libpcap.so.1
> libpfring.so => /usr/local/lib/libpfring.so
> I configured the node.cfg and added:
> 1 manager
> 1 proxy
> 2 workers  - sniffing the same interface
> * All the nodes are on the same localhost
> I'm replaying a big pcap file with 680000 packets and expecting to see some
> load-balancing between the 2 nodes (that are running on different cores).
> I am using the 'netstats' command in broctl and expecting to see that half
> (or at least some) of the traffic goes to worker-1 and the rest to worker-2
> (i.e. The sum of both workers packet received = 680000 ~)
> I see that worker-1 took everything.
> worker-1: 1320163523.794836 recvd=638311 dropped=31948 link=670259
> And i'm assuming that worker-2 also got everything (duplicate).
> How do I load-balance between the two workers on the same machine?
> Also I noticed minor bugs:
> [BroControl] > netstats
>   worker-3: <error: cannot connect to 127.0.1.1:47764>
> [BroControl] > scripts
> proxy-1 is ok.
>   cat: loaded_scripts*: No such file or directory
> worker-1 is ok.
>   cat: loaded_scripts*: No such file or directory
> worker-3 is ok.
>   cat: loaded_scripts*: No such file or directory
>
>
>
> On Mon, Oct 31, 2011 at 7:33 PM, Seth Hall <seth at icir.org> wrote:
>>
>> On Oct 31, 2011, at 1:08 PM, Tomer Teller wrote:
>>
>> > Do you mean PF_RING with front-end solution such as click router?
>> > Is it possible to run everything on a single machine?
>>
>>
>> Martin is referring to clustering in PF_RING.  It will split your traffic
>> into bidirectional flows within your kernel and it easy to configure with
>> Bro 2.0-beta (I wouldn't try it with 1.5, it would be a bit of a mess).  If
>> you're running with broctl it will mostly just work with PF_RING out of the
>> box including clustering, you just need to make sure you're building against
>> the correct libpcap using PF_RING's libpcap wrapper and then all of your
>> workers you configure in broctl's node.cfg file should sniff the same
>> interface.
>>
>>  .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>
>




More information about the Bro mailing list