[Bro] Bro performance issues

Tomer Teller djteller at gmail.com
Sun Nov 6 08:26:01 PST 2011


Name       Type       Host       Status        Pid    Peers  Started
manager    manager    localhost  running       30614  3      06 Nov 18:01:09
proxy-1    proxy      localhost  running       30645  3      06 Nov 18:01:11
worker-1   worker     localhost  running       30688  2      06 Nov 18:01:13
worker-2   worker     localhost  running       30689  2      06 Nov 18:01:13
 

On Nov 6, 2011, at 18:05, Martin Holste <mcholste at gmail.com> wrote:

> What do you get for broctl status?
> 
> On Sun, Nov 6, 2011 at 3:02 AM, Tomer Teller <djteller at gmail.com> wrote:
>> 
>> Seth, here is my configuration:
>> 
>> 
>> 
>> Bro 2.0beta
>> 
>> Running on Debian GNU/Linux 6.0
>> 
>> 
>> 
>> broctl config | grep pfring
>> 
>>> pfringclusterid = 21
>> 
>> 
>> 
>> ldd bro
>> 
>>> linux-vdso.so.1 =>  (0x00007fff41be1000)
>> 
>>> libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000)
>> 
>>> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000)
>> 
>>> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000)
>> 
>>> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000)
>> 
>>> libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000)
>> 
>>> libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000)
>> 
>>> libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000)
>> 
>>> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000)
>> 
>>> libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000)
>> 
>>> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000)
>> 
>>> libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000)
>> 
>>> /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000)
>> 
>>> libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000)
>> 
>> 
>> 
>> 
>> 
>> cat /proc/net/pf_ring/*
>> 
>>> PF_RING Version     : 5.0.0 ($Revision: exported$)
>> 
>>> Ring slots          : 4096
>> 
>>> Slot version        : 13
>> 
>>> Capture TX          : Yes [RX+TX]
>> 
>>> IP Defragment       : No
>> 
>>> Socket Mode         : Standard
>> 
>>> Transparent mode    : Yes (mode 0)
>> 
>>> Total rings         : 0
>> 
>>> Total plugins       : 0
>> 
>> 
>> 
>> 
>> 
>> for i in  $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep
>> -w 'PCAP_PF_RING_CLUSTER_ID';  done
>> 
>> 
>> 
>> Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also
>> tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW)
>> 
>> 
>> 
>> Again, Traffic does not split between the workers, they see the same
>> packets.
>> 
>> 
>> 
>> On Nov 6, 2011, at 3:49, Seth Hall <seth at icir.org> wrote:
>> 
>> 
>> On Nov 5, 2011, at 5:21 PM, William Jones wrote:
>> 
>> Attached is a patch to fix the getenv problem.  The were tow PCAP env
>> variables that need a shell export statement.
>> 
>> This will make PF_RING work so long as all the data is going into one
>> interface or bonded interface.
>> 
>> 
>> What shell are you using?  There is something messed up because those
>> environment variables are already set and I think don't think you should
>> need those lines in run-bro.  I haven't seen anyone else that has needed
>> those lines at least.
>> 
>>  .Seth
>> 
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>> 
>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/5e83184a/attachment.html 


More information about the Bro mailing list