[Bro] Troubleshooting crashes
Seth Hall
seth at icir.org
Wed Sep 19 12:19:56 PDT 2012
On Sep 18, 2012, at 2:52 AM, Tritium Cat <tritium.cat at gmail.com> wrote:
> Yeah I know, and I've read the PF_RING source for the changes you're referring to. You can select 2-tuple, 4-tuple, 5-tuple-tcp only with 2-tuple for all other traffic, regular 5-tuple, or the default which is 6-tuple (if the vlan_id is present, otherwise it is essentially 5-tuple).
Ok, I found the problem. We got tripped up when they added the configuration option and we may have to do a 2.1.1 release. We were setting the PCAP_PF_RING_USE_CLUSTER_PER_FLOW env var to "1" just to have it set to something. They started using that value to set how the load balancing is done and "1" was chosen to be round-robin.
We probably need to make that configurable (from broctl.cfg) with a default of 2 (2-tuple… it causes less trouble).
Here's the structure that defines the different load balancing approaches with that variable…
typedef enum {
cluster_per_flow = 0, /* 6-tuple: <src ip, src port, dst ip, dst port, proto, vlan> */
cluster_round_robin,
cluster_per_flow_2_tuple, /* 2-tuple: <src ip, dst ip > */
cluster_per_flow_4_tuple, /* 4-tuple: <src ip, src port, dst ip, dst port > */
cluster_per_flow_5_tuple, /* 5-tuple: <src ip, src port, dst ip, dst port, proto > */
} cluster_type;
Daniel could you make this change?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list