[Bro] Bro performance issues

Tomer Teller djteller at gmail.com
Wed Nov 2 08:45:38 PDT 2011


This is my node.cfg config file:

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=em0

[worker-2]
type=worker
host=localhost
interface=em0

I am running on Bro 2.0 Beta.

I am replying a 680000 packets pcap file to the machine.

When running broctl's netstats, this is what i see:

worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576
worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576

I expect to see load-balance between worker-1 and worker-2 but they are
getting the same traffic.

I decided to patch Bro in order to "support" that load-balancing.

I edited PktSrc::Process() (PktSrc.cc) and added my own code to distinguish
between processes (i.e. worker-1, worker-2).

Then looked at the data variable, extracted the ip src & dst and checked
for ->  (ipSRC ^ ipDST) % 2 == 0

Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results

Also had to play around with (++stats.received) to reflect the new changes.

This small patch dramatically improved my performance.



On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall <seth at icir.org> wrote:

>
> On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote:
>
> > I configured the node.cfg and added:
> > 1 manager
> > 1 proxy
> > 2 workers  - sniffing the same interface
>
> Could you send the content of your node.cfg file?  I noticed in your
> broctl session you sent, there was a reference to worker-3 which isn't
> represented in your description.
>
> Thanks,
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111102/6922dcbe/attachment.html 


More information about the Bro mailing list