[Bro] Bro-2.5.2 and PF_RING 6.7 not load balancing properly

Lamps, Jereme jlamps at sandia.gov
Tue Jan 30 12:07:29 PST 2018

It appears PF_RING is not properly load balancing between Bro instances. For example, I have a single Bro node with 5 bro procs. Every entry in http.log is duplicated 5 times (exact timestamp and all fields are identical except the UID). My conclusion is pf_ring is not splitting the traffic and that all procs are seeing all the traffic.

my node.cfg:

pf_ring was loaded with:
enable_tx_capture=0 min_num_slots=32768

Bro is correctly linked to libpcap libraries:
ldd /usr/local/bro/bin/bro | grep pcap
        libpcap.so.1 => /opt/pfring-6.6/lib/libpcap.so.1 (0x00007effe684d000)

pf_ring info:
[root at bro-box]# cat /proc/net/pf_ring/info
PF_RING Version          : 6.7.0 (dev:9b0e7c81718edb0ff6d070793bc868e3c3456bd5)
Total rings              : 6
Standard (non ZC) Options
Ring slots               : 32768
Slot version             : 16
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

I am not sure where to go from here. Does anyone have any suggestions?

Jereme Lamps?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180130/d39d28de/attachment.html 

More information about the Bro mailing list