[Bro] internal error: unknown msg type 101 in Poll()
Sean McCreary
mccreary at ucar.edu
Mon Feb 22 11:42:54 PST 2010
On 20/02/10 11:48, Seth Hall wrote:
> On Feb 20, 2010, at 10:17 AM, Sean McCreary wrote:
>
>> I have been seeing several crashes per day due to 'internal error:
>> unknown msg type 101 in Poll()' in the manager process of a bro
>> cluster
>> handling ~2.5 Gb/s of traffic. Here is a typical stack trace:
>
>
> Try two things.
>
> 1. Apply this patch...
> http://tracker.icir.org/bro/ticket/220#comment:13
>
> 2. Add the following to your local.bro script:
> redef notice_action_filters += {
> [Weird::ContentGap] = ignore_notice,
> [Weird::AckAboveHole] = ignore_notice,
> };
> redef suppress_notice_actions += {
> Weird::ContentGap,
> Weird::AckAboveHole,
> };
Thanks for the suggestions. If I'm understanding correctly, the policy
changes should help prevent load spikes from missing packets in the
captured traffic. Since I am capturing traffic that includes flows that
exceed 1 Gb/s, the workers will see periods of heavy load that are
missing a lot of packets.
Tweaking small_timeout down should also help prevent buffer overruns
during a period of heavy load, at the cost of increasing the overall
system load. Will these changes affect Bro in other ways as well?
More information about the Bro
mailing list