[Bro] Bro Packet Loss / 10gb ixgbe / pf_ring
dnthayer at illinois.edu
Fri Jan 8 09:26:34 PST 2016
Did you check that the broctl config option "pfringclusterid"
has a non-zero value?
broctl config | grep pfring
You can also check that broctl is using the correct interface
name by looking at the "interface=" field in the output of
the following command:
On 01/08/2016 10:24 AM, Nash, Paul wrote:
> Thanks Seth - I have my node.cfg to point to zc:eth3
> Upon running broctl cleanup/deploy, I’m seeing that bro is called with only "-i zc:eth3”. I tried calling it with “zc:2” (cluster ID) and zbalance_ipc handed out 8k packets before the bro workers crashed.
> On 1/8/16, 10:28 AM, "Seth Hall" <seth at icir.org> wrote:
>>> On Jan 7, 2016, at 4:37 PM, Nash, Paul <Paul.Nash at tufts.edu> wrote:
>>> I have a license for ZC, and if I change the interface from eth3 to zc:eth3, it will spawn up 16 workers, but only one of them is receiving any traffic. I’m assuming that it is looking at zc:eth3 at 0 only. Netstats proves that out. If I run pfcount –I zc at eth3, it will show me that I’m receiving ~1gbp/s of traffic on the interface and not dropping anything.
>> If you make the line “interface=zc:eth3”, the pf_ring plugin for broctl should automatically change the interface that each Bro process is sniffing to the correct name as you’ve indicated (zc:eth3@[0-15]). Configure it that way and the check with ps what interface is being sniffed (you will see it as part of the command line that broctl is executing).
>> I added support for ZC to that plugin for the 2.4 release and I got it working and validated. There are some issues with this path though because if a Bro process crashes or is shut down you will need to restart zbalance_ipc as well in order for that output ring to be reconnected.
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro