[Bro] Bro-2.5.2 and PF_RING 6.7 not load balancing properly
ben.bt.wood at gmail.com
Wed Jan 31 07:49:11 PST 2018
The default load balancing for bro pf_ring is to use 4-tuple.
If you have a lot of asymmetric traffic (hot IP/port combo like a syslog or
something), you'll see some "buckets" with more packets.
You may want to try a different load balancing scheme as outlined here:
On Tue, Jan 30, 2018 at 3:07 PM, Lamps, Jereme <jlamps at sandia.gov> wrote:
> It appears PF_RING is not properly load balancing between Bro instances.
> For example, I have a single Bro node with 5 bro procs. Every entry in
> http.log is duplicated 5 times (exact timestamp and all fields are
> identical except the UID). My conclusion is pf_ring is not splitting the
> traffic and that all procs are seeing all the traffic.
> *my node.cfg: *
> *pf_ring was loaded with: *
> enable_tx_capture=0 min_num_slots=32768
> *Bro is correctly linked to libpcap libraries:*
> ldd /usr/local/bro/bin/bro | grep pcap
> libpcap.so.1 => /opt/pfring-6.6/lib/libpcap.so.1
> *pf_ring info:*
> [root at bro-box]# cat /proc/net/pf_ring/info
> PF_RING Version : 6.7.0 (dev:9b0e7c81718edb0ff6d070793bc868
> Total rings : 6
> Standard (non ZC) Options
> Ring slots : 32768
> Slot version : 16
> Capture TX : No [RX only]
> IP Defragment : No
> Socket Mode : Standard
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
> I am not sure where to go from here. Does anyone have any suggestions?
> Jereme Lamps
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro