[Bro] Troubleshooting crashes

Seth Hall seth at icir.org
Thu Sep 13 07:47:41 PDT 2012


On Sep 13, 2012, at 10:28 AM, Tritium Cat <tritium.cat at gmail.com> wrote:

> The front-end setup is working ok.  I was missing PFRINGClusterID in broctl.conf; fixing that seems to have helped with memory and cpu usage.

Oh, that should have been set already.  Well, I suppose it might not have been if you upgraded this installation from a previous non-pf_ring enabled installation.

It may be time to revisit our decision to only set that variable when building against a pf_ring enabled libpcap since this "upgrading to pf_ring" problem exposes itself.  Daniel, Jon, what do you guys think?

> The count of "split_routing" events is about equal across all workers so I think it's something to do with the load-balancing via PF_RING.  

That sounds like the culprit.

> The traffic is 802.1Q tagged so maybe pf_ring is using 6-tuple load balancing for the cluster.

They made that configurable a while back for me.  I would recommend trying 2-tuple or 4-tuple balancing (I don't remember their default).  If you figure out how to configure it, could you let us know how so we don't have to go look it up? :)

Are you loading the misc/capture-loss script too?  I would recommend loading that once you get this pf_ring issue all sorted out. That should be the final (or nearly final) measurement to see if you are getting all of your traffic correctly.
	http://www.bro-ids.org/documentation/scripts/policy/misc/capture-loss.html

Thanks!
  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list