[Bro-Dev] #943: PF_Ring plugin to support load balancing while sniffing multiple interfaces
William Jones
jones at tacc.utexas.edu
Fri Apr 26 11:23:10 PDT 2013
I understand what problem was fixed. I was hoping that some in the bro group would recognize that there are more problems with pf_ring and bro that the current set of problems being talked about.
I merged packet streams before and found that method didn't solve my drop packet problems. What did was allocating enough packet space in the kernel per interface and having bro read from each interface.
Right now I am monitoring 2 10 GigE lacp pair. I about to put a system so that I can monitor a 4 10 GigE lacp set up.
You really should investigate what it takes keep up with multiple 10 GigE interfaces lacp interaces. You might come to the different conclusion the usefulness merging interface in the kernel kernel.
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Friday, April 26, 2013 12:40 PM
To: William Jones
Cc: bro at tracker.bro.org; seth at icir.org; dnthayer at ncsa.illinois.edu; bro-dev at bro.org
Subject: Re: [Bro-Dev] #943: PF_Ring plugin to support load balancing while sniffing multiple interfaces
On Apr 26, 2013, at 1:08 PM, William Jones <jones at tacc.utexas.edu> wrote:
> I read from multiple interfaces per worker, a consequence of of using taps to monitor a two port 10 GigE LACP pair. The net
This is fixing a different problem. People have been having trouble monitoring two separate links that don't see split routing. The problem you're encountering is something that most people have been fixing by merging the traffic streams before sending them into the analysis box with a separate piece of hardware (it would typically get load balanced at the same time too).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the bro-dev
mailing list