[Bro] Bro performance issues

William Jones jones at tacc.utexas.edu
Fri Nov 4 22:35:34 PDT 2011

Found the problem.   getenv is not work on linux, sigh.

Bill Jones

-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: Friday, November 04, 2011 8:23 PM
To: William Jones
Cc: Martin Holste; Tomer Teller; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues

On Nov 4, 2011, at 5:09 PM, William Jones wrote:

> 1320440533.316479       JgQfacLEqNf   54999     80      above_hole_data_without_any_acks        -       F       worker-5
> 1320440533.316479       a5JEFET8tid   54999     80      above_hole_data_without_any_acks        -       F       worker-6
> 1320440533.316479       Olp5WQZeFsk   54999     80      above_hole_data_without_any_acks        -       F       worker-7

Hm, I'm not totally convinced that you have pf_ring fully working yet.  My guess is that each of those workers saw the same packet.  Connection unique IDs will be generated differently on different hosts so you can't expect those to be the same and everything else, including the timestamp is exactly the same. 

Can you send the output of:

broctl config | grep -i pfring


ldd <prefix>/bin/bro

If there is a problem with pf_ring not being enabled correctly on some machines, we'd certainly like to figure it out.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list