[Bro] High-CPU on just a single worker in the cluster

Azoff, Justin S jazoff at illinois.edu
Thu Apr 14 10:11:25 PDT 2016

> On Apr 14, 2016, at 11:18 AM, Dave Crawford <bro at pingtrip.com> wrote:
> $ sudo tcpdump -n -i eth6 not ip and not arp -c10000 | grep ethertype | cut -f 2 -d ',' | sort | uniq -c
>    9980  ethertype Unknown (0x8903)
> A quick Google points to Cisco FabricPath Switching ( http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/fabricpath/configuration/guide/fp_switching.html)
> "The FabricPath hierarchical MAC address carries the reserved EtherType 0x8903."
> I suppose now is a good time to reach out to the Network Engineering team and ask about the SPAN placement in that datacenter.
> Thanks for helping me quickly navigate this issue!
> -Dave

Ah.. so there are probably two issues here: bro and pf_ring

Based on this image from your link


the FP header is fixed size, so adding support for it to bro should be easy enough: handle that ether type, skip the right number of bytes (see iosource/Packet.cc)

That won't help with the pf_ring issue though, but you're probably best reaching out to the pf_ring people about this issue.

It's entirely possibly you can fix the issue with a different span configuration though.

- Justin Azoff

More information about the Bro mailing list