[Bro] Bro performance issues
William Jones
jones at tacc.utexas.edu
Fri Nov 4 17:34:02 PDT 2011
I backed down from the PF_RING pcap library. I couldn't find a way to run off the load balancing.
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of William Jones
Sent: Friday, November 04, 2011 4:09 PM
To: 'Seth Hall'; Martin Holste
Cc: bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues
Just install bro with PF_RING without my filter to see what happens with load pf_ring load balancing.
As I though the load balancing does a good jobs of distributing the load across my 8 bro workes. The down side is that bro is not working correctly sense each bro work only see part of the tcp connections for example the wired log:
1320440533.316479 B1zdmt0vxHf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-2
1320440533.316479 F1NuRpLxmri 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-4
1320440533.316479 GBvErIhMFH3 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-1
1320440533.316479 Jgz4LByaW62 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-8
1320440533.316479 JgQfacLEqNf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-5
1320440533.316479 a5JEFET8tid 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-6
1320440533.316479 Olp5WQZeFsk 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-7
There are a lot of other functions that don't seem to work.
I am putting the filter back but I will continue to run pf_ring with load blancing turned off and see what happens.
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Friday, November 04, 2011 7:28 AM
To: Martin Holste
Cc: William Jones; Tomer Teller; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues
On Nov 3, 2011, at 6:10 PM, Martin Holste wrote:
> Actually, I recommend setting up a bonded interface, which recent
> PF_RING's will happily monitor.
Ah, nice! Thanks for pointing that out.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list