[Bro] Bro workers die

Michal Purzynski michal at rsbac.org
Mon Apr 22 13:51:41 PDT 2013

On 4/22/13 10:21 PM, Seth Hall wrote:
> On Apr 22, 2013, at 4:04 PM, Michal Purzynski <michal at rsbac.org> wrote:
>> 1. does Bro use pf_ring by default with a configuration like this?
> Yes, it's the lb_method=pf_ring that enables it.
>> 2. how can i change the load balancing method? I need to spread things
>> more evenly.
> What do you want to change it to?  I think it's doing 4-tuple or 5-tuple by default right now.
OK, I might be wrong on that, it has helped in a big way for snort.
> One problem you will encounter is a issue with pf_ring cluster_id choice.  You will be running two pf_ring clusters on the same host (i'm assuming that nsm1 is the same physical host) and pf_ring doesn't like that.  It does something weird like trying to stick packets from both NICs into the same queue.  We have it fixed for our next release (that did get merged into master, right Daniel?) but it's a problem right now.
I'm running the SVN code, so you think it does not choose a unique 
cluster id for eth4 and another for eth5? How can i fix it?
> You are sending us enough information to determine why you're seeing crashes though.  Could you send the output from broctl diag nsm1-eth5-1 (assuming that's a host that is currently crashed)?
> Thanks,
>    .Seth
broctl diag nsm1-eth5-1

Bro 2.1-386

==== No reporter.log

==== stderr.log
listening on eth5, capture length 8192 bytes

1366658863.663940 processing suspended
1366658863.664006 processing continued
1366658869.682828 Failed to open GeoIP database: 
1366658869.682828 Fell back to GeoIP Country database
1366658869.682828 Failed to open GeoIP database: 

==== stdout.log

==== .cmdline
-i eth5 -U .status -p broctl -p broctl-live -p local -p nsm1-eth5-1 
local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto

==== .env_vars

==== .status
RUNNING [net_run]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log

> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

More information about the Bro mailing list