[Bro] Bro-2.5.2 and PF_RING 6.7 not load balancing properly

Azoff, Justin S jazoff at illinois.edu
Wed Jan 31 08:25:37 PST 2018

> On Jan 30, 2018, at 3:07 PM, Lamps, Jereme <jlamps at sandia.gov> wrote:
> It appears PF_RING is not properly load balancing between Bro instances. For example, I have a single Bro node with 5 bro procs. Every entry in http.log is duplicated 5 times (exact timestamp and all fields are identical except the UID). My conclusion is pf_ring is not splitting the traffic and that all procs are seeing all the traffic. 

You may be running into an issue that was recently fixed in broctl and will be resolved in the next release.  Depending on the order you install things in, pf_ring load balancing can end up disabled.

What does the following output for your host?

    [root at bro-dev ~]# broctl config | grep pfring
    pfringclusterid = 21
    pfringclustertype = 4-tuple
    ringfirstappinstance = 0

if you have pfringclusterid set to 0, that's the problem that was just fixed.  You can easily workaround that by adding

PFRINGClusterID = 21

to your /usr/local/bro/etc/broctl.cfg

Once that is there, a broctl deploy should get everything working.

Justin Azoff

More information about the Bro mailing list