[Bro] Bro performance issues

William Jones jones at tacc.utexas.edu
Sun Nov 6 15:06:27 PST 2011


If just sent info at bro-ids.org three patch's to fix a few minor compatibility issues do to python version difference.    A patch to export the PF_RING variables so that pf_ring libpcap can see PF_RING environment variables.    A patch to serializes the bro works startup when opening multiple network interfaces when using PF_RING.


FYI

Seth

I have been able to get 8 works reading 8 interfaces to work properly with PF_RING.   There is a limit of 8 slots per cluster id in PF_RING.  There a good chance that it can be increased with out any performance losses, that will have to be tested.   There may also may be some internal limitation with bro when the number of workers go above 8.

Bill Jones         

-----Original Message-----
From: Martin Holste [mailto:mcholste at gmail.com] 
Sent: Sunday, November 06, 2011 10:06 AM
To: Tomer Teller
Cc: Seth Hall; William Jones; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues

What do you get for broctl status?

On Sun, Nov 6, 2011 at 3:02 AM, Tomer Teller <djteller at gmail.com> wrote:
>
> Seth, here is my configuration:
>
>
>
> Bro 2.0beta
>
> Running on Debian GNU/Linux 6.0
>
>
>
> broctl config | grep pfring
>
>> pfringclusterid = 21
>
>
>
> ldd bro
>
>> linux-vdso.so.1 =>  (0x00007fff41be1000)
>
>> libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000)
>
>> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000)
>
>> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000)
>
>> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000)
>
>> libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000)
>
>> libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000)
>
>> libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000)
>
>> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000)
>
>> libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000)
>
>> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000)
>
>> libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000)
>
>> /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000)
>
>> libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000)
>
>
>
>
>
> cat /proc/net/pf_ring/*
>
>> PF_RING Version     : 5.0.0 ($Revision: exported$)
>
>> Ring slots          : 4096
>
>> Slot version        : 13
>
>> Capture TX          : Yes [RX+TX]
>
>> IP Defragment       : No
>
>> Socket Mode         : Standard
>
>> Transparent mode    : Yes (mode 0)
>
>> Total rings         : 0
>
>> Total plugins       : 0
>
>
>
>
>
> for i in  $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep
> -w 'PCAP_PF_RING_CLUSTER_ID';  done
>
>
>
> Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also
> tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW)
>
>
>
> Again, Traffic does not split between the workers, they see the same
> packets.
>
>
>
> On Nov 6, 2011, at 3:49, Seth Hall <seth at icir.org> wrote:
>
>
> On Nov 5, 2011, at 5:21 PM, William Jones wrote:
>
> Attached is a patch to fix the getenv problem.  The were tow PCAP env
> variables that need a shell export statement.
>
> This will make PF_RING work so long as all the data is going into one
> interface or bonded interface.
>
>
> What shell are you using?  There is something messed up because those
> environment variables are already set and I think don't think you should
> need those lines in run-bro.  I haven't seen anyone else that has needed
> those lines at least.
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>




More information about the Bro mailing list