[Bro] Bro performance issues
seth at icir.org
Fri Nov 4 18:23:04 PDT 2011
On Nov 4, 2011, at 5:09 PM, William Jones wrote:
> 1320440533.316479 JgQfacLEqNf 220.127.116.11 54999 18.104.22.168 80 above_hole_data_without_any_acks - F worker-5
> 1320440533.316479 a5JEFET8tid 22.214.171.124 54999 126.96.36.199 80 above_hole_data_without_any_acks - F worker-6
> 1320440533.316479 Olp5WQZeFsk 188.8.131.52 54999 184.108.40.206 80 above_hole_data_without_any_acks - F worker-7
Hm, I'm not totally convinced that you have pf_ring fully working yet. My guess is that each of those workers saw the same packet. Connection unique IDs will be generated differently on different hosts so you can't expect those to be the same and everything else, including the timestamp is exactly the same.
Can you send the output of:
broctl config | grep -i pfring
If there is a problem with pf_ring not being enabled correctly on some machines, we'd certainly like to figure it out.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro