[Bro] Bro performance issues
William Jones
jones at tacc.utexas.edu
Fri Nov 4 14:09:12 PDT 2011
Just install bro with PF_RING without my filter to see what happens with load pf_ring load balancing.
As I though the load balancing does a good jobs of distributing the load across my 8 bro workes. The down side is that bro is not working correctly sense each bro work only see part of the tcp connections for example the wired log:
1320440533.316479 B1zdmt0vxHf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-2
1320440533.316479 F1NuRpLxmri 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-4
1320440533.316479 GBvErIhMFH3 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-1
1320440533.316479 Jgz4LByaW62 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-8
1320440533.316479 JgQfacLEqNf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-5
1320440533.316479 a5JEFET8tid 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-6
1320440533.316479 Olp5WQZeFsk 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-7
There are a lot of other functions that don't seem to work.
I am putting the filter back but I will continue to run pf_ring with load blancing turned off and see what happens.
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Friday, November 04, 2011 7:28 AM
To: Martin Holste
Cc: William Jones; Tomer Teller; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues
On Nov 3, 2011, at 6:10 PM, Martin Holste wrote:
> Actually, I recommend setting up a bonded interface, which recent
> PF_RING's will happily monitor.
Ah, nice! Thanks for pointing that out.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list