[Bro] Bro 2.0 packets dropped

Machiel van Veen mvv at sentia.nl
Mon Feb 13 01:30:50 PST 2012


On Friday 10 February 2012 22:42:43 Martin Holste wrote:
> What do you see in /proc/net/pf_ring/ ?  If you cat a file matching
> the PID of one of the Bro processes, it should say what the cluster_id
> is.  If they are all 21, then it is working.
> 

It looks like only one worker uses pfring, the clusterid is 21.

$ ls -l /proc/net/pf_ring/
r--r--r-- 1 root root 0 Feb 13 10:15 15489-p1p1.1
dr-xr-xr-x 5 root root 0 Feb 13 10:15 dev
-r--r--r-- 1 root root 0 Feb 13 10:15 info
-r--r--r-- 1 root root 0 Feb 13 10:15 plugins_info

[BroControl] > status
...
worker-1   worker     192.168.42.215 running       15489  2      13 Feb 10:12:02
...

When I set transparent_mode to 2 it shows:

[BroControl] > netstats
  worker-1: 1329124697.533460 recvd=144655 dropped=0 link=144655
  worker-2: 1329124697.733532 recvd=0 dropped=0 link=0
  worker-3: 1329124697.934520 recvd=0 dropped=0 link=0

The other two workers do not connect. The only thing I could find so far which could cause this is quick_mode, I've disabled this option.

Any idea what else could cause this?

Machiel.



More information about the Bro mailing list