[Bro] Bro Packet Loss / 10gb ixgbe / pf_ring

Seth Hall seth at icir.org
Fri Jan 8 07:28:42 PST 2016

> On Jan 7, 2016, at 4:37 PM, Nash, Paul <Paul.Nash at tufts.edu> wrote:
> I have a license for ZC, and if I change the interface from eth3 to zc:eth3, it will spawn up 16 workers, but only one of them is receiving any traffic.  I’m assuming that it is looking at zc:eth3 at 0 only.   Netstats proves that out.   If I run pfcount –I zc at eth3, it will show me that I’m receiving ~1gbp/s of traffic on the interface and not dropping anything.  

If you make the line “interface=zc:eth3”, the pf_ring plugin for broctl should automatically change the interface that each Bro process is sniffing to the correct name as you’ve indicated (zc:eth3@[0-15]).  Configure it that way and the check with ps what interface is being sniffed (you will see it as part of the command line that broctl is executing).

I added support for ZC to that plugin for the 2.4 release and I got it working and validated.  There are some issues with this path though because if a Bro process crashes or is shut down you will need to restart zbalance_ipc as well in order for that output ring to be reconnected.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list