[Bro] Bro performance issues

Tomer Teller djteller at gmail.com
Sun Nov 6 01:02:23 PST 2011 

Seth, here is my configuration:
 
Bro 2.0beta
Running on Debian GNU/Linux 6.0
 
broctl config | grep pfring
> pfringclusterid = 21
 
ldd bro
> linux-vdso.so.1 =>  (0x00007fff41be1000)
> libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000)
> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000)
> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000)
> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000)
> libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000)
> libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000)
> libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000)
> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000)
> libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000)
> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000)
> libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000)
> /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000)
> libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000)
 
 
cat /proc/net/pf_ring/*
> PF_RING Version     : 5.0.0 ($Revision: exported$)
> Ring slots          : 4096
> Slot version        : 13
> Capture TX          : Yes [RX+TX]
> IP Defragment       : No
> Socket Mode         : Standard
> Transparent mode    : Yes (mode 0)
> Total rings         : 0
> Total plugins       : 0
 
 
for i in  $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep -w 'PCAP_PF_RING_CLUSTER_ID';  done
 
Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW)
 
Again, Traffic does not split between the workers, they see the same packets.
 

On Nov 6, 2011, at 3:49, Seth Hall <seth at icir.org> wrote:

> 
> On Nov 5, 2011, at 5:21 PM, William Jones wrote:
> 
>> Attached is a patch to fix the getenv problem.  The were tow PCAP env variables that need a shell export statement.
>> 
>> This will make PF_RING work so long as all the data is going into one interface or bonded interface.  
> 
> 
> What shell are you using?  There is something messed up because those environment variables are already set and I think don't think you should need those lines in run-bro.  I haven't seen anyone else that has needed those lines at least.
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/d042bac4/attachment.html

More information about the Bro mailing list