[Bro] Troubleshooting crashes
seth at icir.org
Thu Sep 13 07:47:41 PDT 2012
On Sep 13, 2012, at 10:28 AM, Tritium Cat <tritium.cat at gmail.com> wrote:
> The front-end setup is working ok. I was missing PFRINGClusterID in broctl.conf; fixing that seems to have helped with memory and cpu usage.
Oh, that should have been set already. Well, I suppose it might not have been if you upgraded this installation from a previous non-pf_ring enabled installation.
It may be time to revisit our decision to only set that variable when building against a pf_ring enabled libpcap since this "upgrading to pf_ring" problem exposes itself. Daniel, Jon, what do you guys think?
> The count of "split_routing" events is about equal across all workers so I think it's something to do with the load-balancing via PF_RING.
That sounds like the culprit.
> The traffic is 802.1Q tagged so maybe pf_ring is using 6-tuple load balancing for the cluster.
They made that configurable a while back for me. I would recommend trying 2-tuple or 4-tuple balancing (I don't remember their default). If you figure out how to configure it, could you let us know how so we don't have to go look it up? :)
Are you loading the misc/capture-loss script too? I would recommend loading that once you get this pf_ring issue all sorted out. That should be the final (or nearly final) measurement to see if you are getting all of your traffic correctly.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro