[Bro] Bro performance issues

William Jones jones at tacc.utexas.edu
Fri Nov 4 17:34:02 PDT 2011

I backed down from the PF_RING pcap library.  I couldn't find a way to run off the load balancing.    

-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of William Jones
Sent: Friday, November 04, 2011 4:09 PM
To: 'Seth Hall'; Martin Holste
Cc: bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues

Just install bro with PF_RING without my filter to see what happens with load pf_ring load balancing. 

As I though the load balancing does a good jobs of distributing the load across my 8 bro workes.    The down side is that bro is not working correctly sense each bro work only see part of the tcp connections for example the wired log:

1320440533.316479       B1zdmt0vxHf   54999     80      above_hole_data_without_any_acks        -       F       worker-2
1320440533.316479       F1NuRpLxmri   54999     80      above_hole_data_without_any_acks        -       F       worker-4
1320440533.316479       GBvErIhMFH3   54999     80      above_hole_data_without_any_acks        -       F       worker-1
1320440533.316479       Jgz4LByaW62   54999     80      above_hole_data_without_any_acks        -       F       worker-8
1320440533.316479       JgQfacLEqNf   54999     80      above_hole_data_without_any_acks        -       F       worker-5
1320440533.316479       a5JEFET8tid   54999     80      above_hole_data_without_any_acks        -       F       worker-6
1320440533.316479       Olp5WQZeFsk   54999     80      above_hole_data_without_any_acks        -       F       worker-7

There are a lot of other functions that don't seem to work.

I am putting the filter back but I will continue to run  pf_ring with load blancing turned off and see what happens.  

-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: Friday, November 04, 2011 7:28 AM
To: Martin Holste
Cc: William Jones; Tomer Teller; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues

On Nov 3, 2011, at 6:10 PM, Martin Holste wrote:

> Actually, I recommend setting up a bonded interface, which recent
> PF_RING's will happily monitor.

Ah, nice!  Thanks for pointing that out.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list