[Bro] Bro performance issues

Tomer Teller djteller at gmail.com
Mon Oct 31 03:45:14 PDT 2011


All the packets are valid IPv4, I just noticed that my CPU goes to 92% so I
am probably suffering drops due to load.

I decided to set up a cluster to utilize my machine's 4 cores.

1 for Manager, 1 for Proxy and 2 for Workers.

To avoid installing click router and rewrite packets I want to load
worker-1 and worker-2 with different policies so they won't handle traffic
twice.

worker1-policy.bro:
redef restrict_filters += { ["capture even src/dest pairs only"] =
"(ip[12:4] + ip[16:4]) & 1 == 0" };

worker2-policy.bro:
redef restrict_filters += { ["capture even src/dest pairs only"] =
"(ip[12:4] + ip[16:4]) & 1 == 1" };


If this possible and recommended? (Just trying to pump up performance)

How do I load worker-1 with 'worker1-policy.bro' and worker-2 with
'worker2-policy.bro' ? The documentation only talks
about 'local-worker.bro' that is being loaded by all the workers.

Thanks





On Mon, Oct 31, 2011 at 6:27 AM, Seth Hall <seth at icir.org> wrote:

>
> On Oct 30, 2011, at 5:46 AM, Tomer Teller wrote:
>
> > event new_packet (c: connection,p: pkt_hdr)
>
> > Nothing helps, Bro does not see all the packets.
> > Any ideas what is the problem?
>
> If I remember correctly, the new_packet event is only fired for IPv4
> packets.  Internally it can't deal with IPv6 packets but it also doesn't
> work with non-IP packets.  Do the numbers you're getting match the number
> of IPv4 packets in your traffic trace file?
>
>  .SEth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111031/e479906e/attachment.html 


More information about the Bro mailing list