[Bro] Stand-alone cluster problems
Robin Sommer
robin at icir.org
Wed Jun 10 10:22:32 PDT 2009
Hi Tyler,
if I understand you correctly, there are actually two problems:
- Bro is dropping many packets even when running at rather low CPU
- after a few days, Bro hangs with 99% CPU and stalls.
Is that correct?
Regarding the former, generally at 20-30% CPU Bro shouldn't drop any
signficant amount of packets, there's no throttling mechanism or
such. One guess here would be the operating system. What kind of
system are you running on? Have you tried the tuning described on
http://www.net.t-labs.tu-berlin.de/research/bpcs/? Another question:
is there any regularity in the timestamps of when the drops occur?
Like in regular intervals? (But longer intervals than 10s as that's
just the reporting interval).
Regarding the latter, it would be good to know in which part of the
code Bro hangs. To find that out, can do you the following next time
it happens:
- Attach a gdb with "gdb /path/to/bro/binary process-id-of-the-main-Bro-process"
- Send me a stack backstrace from gdb's "bt" command
I wouldn't be totally surprised if the state checkpointing is the
culprit. To test that, can you remove the line "@load checkpoint"
from cluster.bro?
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list