[Bro] Bro Packet Loss / 10gb ixgbe / pf_ring

Nash, Paul Paul.Nash at tufts.edu
Fri Jan 8 08:24:22 PST 2016

Thanks Seth - I have my node.cfg to point to zc:eth3


Upon running broctl cleanup/deploy, I’m seeing that bro is called with only "-i zc:eth3”.  I tried calling it with “zc:2” (cluster ID) and zbalance_ipc handed out 8k packets before the bro workers crashed. 


On 1/8/16, 10:28 AM, "Seth Hall" <seth at icir.org> wrote:

>> On Jan 7, 2016, at 4:37 PM, Nash, Paul <Paul.Nash at tufts.edu> wrote:
>> I have a license for ZC, and if I change the interface from eth3 to zc:eth3, it will spawn up 16 workers, but only one of them is receiving any traffic.  I’m assuming that it is looking at zc:eth3 at 0 only.   Netstats proves that out.   If I run pfcount –I zc at eth3, it will show me that I’m receiving ~1gbp/s of traffic on the interface and not dropping anything.  
>If you make the line “interface=zc:eth3”, the pf_ring plugin for broctl should automatically change the interface that each Bro process is sniffing to the correct name as you’ve indicated (zc:eth3@[0-15]).  Configure it that way and the check with ps what interface is being sniffed (you will see it as part of the command line that broctl is executing).
>I added support for ZC to that plugin for the 2.4 release and I got it working and validated.  There are some issues with this path though because if a Bro process crashes or is shut down you will need to restart zbalance_ipc as well in order for that output ring to be reconnected.
>  .Seth
>Seth Hall
>International Computer Science Institute
>(Bro) because everyone has a network

More information about the Bro mailing list