[Bro] Troubleshooting crashes
Seth Hall
seth at icir.org
Thu Sep 13 07:47:41 PDT 2012
On Sep 13, 2012, at 10:28 AM, Tritium Cat <tritium.cat at gmail.com> wrote:
> The front-end setup is working ok. I was missing PFRINGClusterID in broctl.conf; fixing that seems to have helped with memory and cpu usage.
Oh, that should have been set already. Well, I suppose it might not have been if you upgraded this installation from a previous non-pf_ring enabled installation.
It may be time to revisit our decision to only set that variable when building against a pf_ring enabled libpcap since this "upgrading to pf_ring" problem exposes itself. Daniel, Jon, what do you guys think?
> The count of "split_routing" events is about equal across all workers so I think it's something to do with the load-balancing via PF_RING.
That sounds like the culprit.
> The traffic is 802.1Q tagged so maybe pf_ring is using 6-tuple load balancing for the cluster.
They made that configurable a while back for me. I would recommend trying 2-tuple or 4-tuple balancing (I don't remember their default). If you figure out how to configure it, could you let us know how so we don't have to go look it up? :)
Are you loading the misc/capture-loss script too? I would recommend loading that once you get this pf_ring issue all sorted out. That should be the final (or nearly final) measurement to see if you are getting all of your traffic correctly.
http://www.bro-ids.org/documentation/scripts/policy/misc/capture-loss.html
Thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list