[Bro] High-CPU on just a single worker in the cluster
bro at pingtrip.com
Thu Apr 14 08:18:17 PDT 2016
$ sudo tcpdump -n -i eth6 not ip and not arp -c10000 | grep ethertype | cut -f 2 -d ',' | sort | uniq -c
9980 ethertype Unknown (0x8903)
A quick Google points to Cisco FabricPath Switching ( http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/fabricpath/configuration/guide/fp_switching.html <http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/fabricpath/configuration/guide/fp_switching.html>)
"The FabricPath hierarchical MAC address carries the reserved EtherType 0x8903."
I suppose now is a good time to reach out to the Network Engineering team and ask about the SPAN placement in that datacenter.
Thanks for helping me quickly navigate this issue!
> On Apr 14, 2016, at 10:41 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>> On Apr 14, 2016, at 9:55 AM, Dave Crawford <bro at pingtrip.com> wrote:
>> You may be on to something with the non-ip traffic... there is a drastic difference between the two datacenters:
>> 1460641772.239436 pkts=10414545 kpps=208.2 kbytes=5732528 mbps=938.6 nic_pkts=10414545 nic_drops=0 u=104675 t=3627503 i=307 o=405 nonip=6681655
>> 1460641723.573448 pkts=9553569 kpps=178.9 kbytes=6561123 mbps=1006.6 nic_pkts=9553569 nic_drops=0 u=174140 t=9373195 i=267 o=934 nonip=5033
> Great.. just what I was thinking. At this point you should be able to just run something like
> tcpdump -n -c 1000 'not ip'
> on the WIN box
> and see exactly what this traffic is.. then we can figure out what to do about it...
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro