[Bro] Traffic just into a single worker in the cluster

李金苗 beikejinmiao at gmail.com
Thu Apr 14 05:02:10 PDT 2016

The deployment is a follows:
  - Cluster has with two nodes, each with 2 workers and the workers are
pinned to specific cpu cores.
  - dell r620 and centos7 with PF_RING

[root at centos soft]# uname -a
Linux centos 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux
[root at centos~]# cat /proc/net/pf_ring/info
PF_RING Version          : 6.3.0 (unknown)
Total rings              : 4

Standard (non DNA/ZC) Options
Ring slots               : 32768
Slot version             : 16
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

broctl capture
[BroControl] > netstats
 worker-1-1: 1460663117.341926 recvd=5317 dropped=0 link=5317
 worker-1-2: 1460663117.542621 recvd=524 dropped=0 link=524
 worker-2-1: 1460663117.751165 recvd=17 dropped=0 link=17
 worker-2-2: 1460663117.945068 recvd=14417 dropped=0 link=14417

You can see almost all of the traffic capture by the woker-2-2.
And I downloaded 100 files, and only 25 files that could be extracted.

​I found an very interesting phenomenon。
If I start 1 workers, all of the files can be extracted.
If I start 2 workers, 50% of the files can be extracted.
If I start 4 workers, 25% of the files can be extracted.
I don't know why .
Could any one give me some advice.Thanks very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160414/47fd76b4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bro-cluster1.PNG
Type: image/png
Size: 77889 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160414/47fd76b4/attachment-0001.bin 

More information about the Bro mailing list