[Bro] internal error: unknown msg type 101 in Poll()

Sean McCreary mccreary at ucar.edu
Mon Feb 22 14:37:04 PST 2010


On 22/02/10 14:16, Justin Azoff wrote:
> On Mon, Feb 22, 2010 at 01:39:45PM -0700, Tyler Schoenke wrote:
>> I just tried Seth's suggestions about filtering ContentGap and
>> AckAboveHole, and it has been quiet for the last couple hours. 
> 
> I ran into general load issues when I switched to running a single node
> cluster.. I traced it back to the same problem with ContentGap and
> AckAboveHole.. I also ignored Weird::WeirdActivity, which helped too.
> 
> If I ran capstats on the 'lo' interface, I would see Bro doing about 10mbps and
> a few thousand packets/sec for what seemed like no reason.  After ignoring
> those two event types lo now has under .1 mbps and about 20 packets/sec.

FWIW, I've also observed a significant decrease in CPU load on the
manager parent process as displayed by 'broctl top'.  The workers still
report high utilization, but the manager seems to be largely unaffected.
 Without Seth's policy changes in local.bro I would see a spike in CPU
load on the manager whenever any worker was under heavy load.




More information about the Bro mailing list