[Bro] Bro performance issues

William Jones jones at tacc.utexas.edu
Sun Nov 6 14:22:49 PST 2011 

Did you see the patch I sent to the list to export the PF_RING averment variables in run_bro.  It should fix your problem.


From: Tomer Teller [mailto:djteller at gmail.com]
Sent: Sunday, November 06, 2011 3:02 AM
To: Seth Hall
Cc: William Jones; Martin Holste; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues



Seth, here is my configuration:

Bro 2.0beta
Running on Debian GNU/Linux 6.0

broctl config | grep pfring
> pfringclusterid = 21

ldd bro
> linux-vdso.so.1 =>  (0x00007fff41be1000)
> libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000)
> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000)
> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000)
> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000)
> libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000)
> libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000)
> libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000)
> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000)
> libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000)
> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000)
> libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000)
> /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000)
> libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000)


cat /proc/net/pf_ring/*
> PF_RING Version     : 5.0.0 ($Revision: exported$)
> Ring slots          : 4096
> Slot version        : 13
> Capture TX          : Yes [RX+TX]
> IP Defragment       : No
> Socket Mode         : Standard
> Transparent mode    : Yes (mode 0)
> Total rings         : 0
> Total plugins       : 0


for i in  $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep -w 'PCAP_PF_RING_CLUSTER_ID';  done

Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW)

Again, Traffic does not split between the workers, they see the same packets.


On Nov 6, 2011, at 3:49, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

On Nov 5, 2011, at 5:21 PM, William Jones wrote:


Attached is a patch to fix the getenv problem.  The were tow PCAP env variables that need a shell export statement.

This will make PF_RING work so long as all the data is going into one interface or bonded interface.


What shell are you using?  There is something messed up because those environment variables are already set and I think don't think you should need those lines in run-bro.  I haven't seen anyone else that has needed those lines at least.

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/87a12f89/attachment.html

More information about the Bro mailing list