[Bro] Bro performance issues

William Jones jones at tacc.utexas.edu
Thu Nov 3 12:22:15 PDT 2011 

By  studding the pcap filter code I  found a work around.   I set the "cmd_linebpdf_filter:" to my packfilter definition.

It would be nice to have a more formal way to do this.



From: Tomer Teller [mailto:djteller at gmail.com]
Sent: Thursday, November 03, 2011 6:47 AM
To: William Jones
Cc: Seth Hall; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues

Thanks for the tip William,
This trick doesn't work on Bro2.0

I tried both aux_scripts and creating the worker-1.local.bro file

I installed the new policy stop/start and again the workers are not load-balancing traffic

tcpreplay  -i ethX --mbps=1000.0 680000_packets.pcap

[BroControl] > netstats
  worker-1: 1320349321.810072 recvd=639496 dropped=30101 link=669597
  worker-2: 1320349322.010123 recvd=639549 dropped=30048 link=669597

This is Out of the box Bro2.0 with PF_RING and libpcap compiles with PF_RING.



On Wed, Nov 2, 2011 at 9:41 PM, William Jones <jones at tacc.utexas.edu<mailto:jones at tacc.utexas.edu>> wrote:
Try the following pcap filtering trick:
'
[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=em0
aux_scripts=q1of2

[worker-2]
type=worker
host=localhost
aux_scripts=q2of2

Add the following scripts in  <bro>share/bro/site

q1of2.bro:
redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };

q2of2.bro:

redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" };



This will split input between the two bro workers.
~




From: bro-bounces at bro-ids.org<mailto:bro-bounces at bro-ids.org> [mailto:bro-bounces at bro-ids.org<mailto:bro-bounces at bro-ids.org>] On Behalf Of Tomer Teller
Sent: Wednesday, November 02, 2011 10:46 AM
To: Seth Hall
Cc: bro at bro-ids.org<mailto:bro at bro-ids.org>
Subject: Re: [Bro] Bro performance issues

This is my node.cfg config file:

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=em0

[worker-2]
type=worker
host=localhost
interface=em0

I am running on Bro 2.0 Beta.

I am replying a 680000 packets pcap file to the machine.

When running broctl's netstats, this is what i see:

worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576
worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576

I expect to see load-balance between worker-1 and worker-2 but they are getting the same traffic.

I decided to patch Bro in order to "support" that load-balancing.

I edited PktSrc::Process() (PktSrc.cc) and added my own code to distinguish between processes (i.e. worker-1, worker-2).

Then looked at the data variable, extracted the ip src & dst and checked for ->  (ipSRC ^ ipDST) % 2 == 0

Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results

Also had to play around with (++stats.received) to reflect the new changes.

This small patch dramatically improved my performance.



On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote:

> I configured the node.cfg and added:
> 1 manager
> 1 proxy
> 2 workers  - sniffing the same interface
Could you send the content of your node.cfg file?  I noticed in your broctl session you sent, there was a reference to worker-3 which isn't represented in your description.

Thanks,
 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111103/7b824ab1/attachment.html

More information about the Bro mailing list