[Bro] problem with traffic/statistics/caploss
philosnef at yahoo.com
Thu Jun 23 07:08:05 PDT 2016
So, we are running pf_ring zc with bro. I have 128 gigs of ram on a 32 core system. According to pfcount, I am receiving ~3.25Gb/s. According to cap-stats, Bro is saying I am only getting 2500Mb/s. Both traffic analysis tools say I get ~440kpps. I trust pf_ring more than cap-stats when looking at throughput, but they both accurately identify the pps associated with this box. The capture-loss.log is indicating I am losing anywhere from 10-25% of my traffic. Pfcount says I am dropping 0 packets. I have tried doing ethtool -L 20 $iface (running 20 workers), but that caused my capture loss to skyrocket. I am running pfrings smp affinity, and have the standard set of ethtool flags set according to Bro documentation.
Eventually, Bro eats all the ram in the box, but does not dip into swap. I have seen simaliar behavior on another box with 386 gigs of ram and 1mpps, but only 2.25Gb/s. On that box, Bro eats up all 386 gigs of ram...
Does anyone have a clue exactly what is going on?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro