[Bro] Bro workers die

Seth Hall seth at icir.org
Mon Apr 22 13:21:30 PDT 2013

On Apr 22, 2013, at 4:04 PM, Michal Purzynski <michal at rsbac.org> wrote:

> 1. does Bro use pf_ring by default with a configuration like this?

Yes, it's the lb_method=pf_ring that enables it.

> 2. how can i change the load balancing method? I need to spread things 
> more evenly.

What do you want to change it to?  I think it's doing 4-tuple or 5-tuple by default right now.

One problem you will encounter is a issue with pf_ring cluster_id choice.  You will be running two pf_ring clusters on the same host (i'm assuming that nsm1 is the same physical host) and pf_ring doesn't like that.  It does something weird like trying to stick packets from both NICs into the same queue.  We have it fixed for our next release (that did get merged into master, right Daniel?) but it's a problem right now.

You are sending us enough information to determine why you're seeing crashes though.  Could you send the output from broctl diag nsm1-eth5-1 (assuming that's a host that is currently crashed)?



Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list