[Bro] Issue: load balancer PF_RING drops 25% of incoming packets

Azoff, Justin S jazoff at illinois.edu
Tue Jul 26 14:08:51 PDT 2016

> On Jul 26, 2016, at 4:23 PM, Rosinger, Enno (DualStudy) <enno.rosinger at hpe.com> wrote:
> Strangely only 16 Million of my 21 Million packet input pass through the PF_RING kernel module. Nevertheless they are then distributed correctly on the Bro processes.
> How can I avoid this loss of 5 Million packets and how can I verify that PF_RING is configured correctly?

What are you using to measure the difference in packet counts?  Where is the 21 and 16 coming from?

Can you add this to your local.bro and see what it logs to capture_loss.log after 30 minutes or so?

    @load misc/capture-loss

> I use Intel Corporation I350 Gigabit Network Connection as NICs. They work with the igb drivers.
> The input rate is 0.5Gb/s = 60k to 80k packets/s and currently I am working without the ZeroCopy drivers
> It is verified that all of my 21 Million packets are received by my NIC’s driver.
> The PF_Ring module itself exists and BRO is running with load balancing.
> Looking forward to your response and hope to solve this problem with you. Below you will find more detailed information about my system.
> If you need something else let me know.
> Best,
> Enno
> Additional information:
> One interesting fact: I cannot run “make” in “PF_RING/userland/examples”, because
> gcc: error: ../libpcap/libpcap.a: No such file or directory
> PF_RING/userland looks like this. Indeed “libpcap” is missing
> c++  examples  examples_zc  fast_bpf  go  lib  libpcap-1.7.4  Makefile  snort  tcpdump-4.7.4

This should fix your build issue:

    cd PF_RING/userland
    ln -s libpcap-1.7.4 libpcap

- Justin Azoff

More information about the Bro mailing list