[Bro] Dropped packets in PF_RING install

Mike Reeves luke at geekempire.com
Fri Aug 29 09:22:54 PDT 2014


Are the pins to actual CPUs or hyper threads? How much throughput are you
dealing with?

On Friday, August 29, 2014, Nicholas SIow <n.siow at go.wustl.edu> wrote:

> Hi Bro,
>
>
> We have an install of bro running on a single machine with PF_RING load
> balancing.
>
> Previously we were seeing a huge amount of dropped traffic — in the realm
> of ~90% average packet loss per hour. The history column in our `conn.log`
> was trash as expected, with only one or two letters per connection.
>
> After some tweaking (adding memory & upping # of bro processes & changing
> PF_RING buffer size), the logs look much better and the packet loss is
> drastically reduced, to about 0.5%-1% loss per hour. However, both `broctl
> netstats` and `cat /proc/net/pf_ring/*eth0*` report some packet loss still.
>
> Is the sub-1% packet loss we’re seeing expected/optimal or are there
> additional tweaks that we could add to push this down to 0%?
>
> ### some notes ###
>
> > both `tcpdump -nn -s0 -vv -i eth0 -w /dev/null` and the pfcount.c
> utility from pf_ring report 0% packet loss. It’s not until we start using
> bro that we start seeing dropped packets.
>
> > we’re currently using 16 bro processes pinned to 16 of 32 total
> processors
>
> > PF_RING buffer size is currently 65536
>
> > packet loss does seem to go down during low-traffic hours but during the
> day when traffic is 2.5-3 gbps is when the dropped packet count peaks
> (while still being a small percentage of the overall traffic)
>
>
> Let me know if you guys have any thoughts on this, thanks!
>
>
> - - -
> Nicholas Siow
> Washington University in St. Louis :: Information Security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140829/288c0ce8/attachment.html 


More information about the Bro mailing list