[Bro] internal error: unknown msg type 101 in Poll()
Seth Hall
hall.692 at osu.edu
Mon Feb 22 12:31:36 PST 2010
On Feb 22, 2010, at 2:42 PM, Sean McCreary wrote:
> Thanks for the suggestions. If I'm understanding correctly, the
> policy
> changes should help prevent load spikes from missing packets in the
> captured traffic. Since I am capturing traffic that includes flows
> that
> exceed 1 Gb/s, the workers will see periods of heavy load that are
> missing a lot of packets.
It should prevent spikes in the number of events that your workers are
sending to your manager which should help. There are some problems
with the pipes between the parent (the real worker) and child
(communication) processes being filled and causing other strange
issues. I used to see this exact problem, but it has been a fairly
long time.
If you can try and reduce the number of events your manager is
receiving that should help to mitigate the problem until the root
problem is found.
> Tweaking small_timeout down should also help prevent buffer overruns
> during a period of heavy load, at the cost of increasing the overall
> system load. Will these changes affect Bro in other ways as well?
I think that increased system load should be the only change, but you
won't actually see a change in cpu usage if you're running this on an
active cluster. The only time you should see any difference is if you
are running Bro that isn't seeing any activity. I'll leave it up to
Robin or Vern to say for sure though. :)
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list