[Bro] Packet loss during log rotation

Seth Hall seth at icir.org
Tue Sep 23 11:51:58 PDT 2014

On Sep 23, 2014, at 2:46 PM, Damian Gerow <damian.gerow at shopify.com> wrote:

> Standalone, as I slowly work towards cluster mode.

Switching to cluster mode with a single worker process is easy.  Just use the cluster config example and only configure a single worker.  Things should work basically the same as before.

>  Is there a single thread handling both reading packets and disk I/O?  Even at 5Mbps, I would have expected a single thread to be able to keep up with everything, unless it's waiting for compression.

Sort of.  The actual file I/O is threaded, but I think that the way the external script is called that performs the rotation might accidentally block in some cases.  Probably an area we should look into more closely some time.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list