[Bro] Bro-2.5.2 and PF_RING 6.7 not load balancing properly
jlamps at sandia.gov
Tue Jan 30 12:07:29 PST 2018
It appears PF_RING is not properly load balancing between Bro instances. For example, I have a single Bro node with 5 bro procs. Every entry in http.log is duplicated 5 times (exact timestamp and all fields are identical except the UID). My conclusion is pf_ring is not splitting the traffic and that all procs are seeing all the traffic.
pf_ring was loaded with:
Bro is correctly linked to libpcap libraries:
ldd /usr/local/bro/bin/bro | grep pcap
libpcap.so.1 => /opt/pfring-6.6/lib/libpcap.so.1 (0x00007effe684d000)
[root at bro-box]# cat /proc/net/pf_ring/info
PF_RING Version : 6.7.0 (dev:9b0e7c81718edb0ff6d070793bc868e3c3456bd5)
Total rings : 6
Standard (non ZC) Options
Ring slots : 32768
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
I am not sure where to go from here. Does anyone have any suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro