[Bro] internal error: unknown msg type 101 in Poll()
Sean McCreary
mccreary at ucar.edu
Thu Mar 4 16:38:58 PST 2010
On 20/02/10 11:48, Seth Hall wrote:
> On Feb 20, 2010, at 10:17 AM, Sean McCreary wrote:
>
>> I have been seeing several crashes per day due to 'internal error:
>> unknown msg type 101 in Poll()' in the manager process of a bro
>> cluster
>> handling ~2.5 Gb/s of traffic. Here is a typical stack trace:
>
>
> Try two things.
[...]
> 2. Add the following to your local.bro script:
> redef notice_action_filters += {
> [Weird::ContentGap] = ignore_notice,
> [Weird::AckAboveHole] = ignore_notice,
> };
> redef suppress_notice_actions += {
> Weird::ContentGap,
> Weird::AckAboveHole,
> };
FYI, this policy change was sufficient to fix the stability problems in
my cluster. I now believe the underlying problem is upstream packet
loss, and I have been working to eliminate that problem in my traffic
capture and distribution network. In hindsight, I've had similar
problems in the past with overloaded standalone Bro processes. Missing
packets generate a significant amount of additional load, and this tends
to turn a small problem into a more serious one. Perhaps we can start a
'debugging Bro problems' page on the wiki, or add this policy to an
existing one?
More information about the Bro
mailing list