[Bro] PF_Ring and Bro - packet loss
Igor Lasic
ilasic at reversinglabs.com
Fri Sep 11 13:02:01 PDT 2015
I found the loss is very dependent on the NIC used and ETHTOOL flags used.
We've found Intel NIC and settings found in below papers give us the best
performance.
http://dak1n1.com/blog/7-performance-tuning-intel-10gbe
https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
> 2. PF_Ring and Bro - packet loss (nathanael rayborn)
>
>
> Message: 2
> Date: Fri, 11 Sep 2015 13:38:42 -0500
> From: nathanael rayborn <nathanael.rayborn at gmail.com>
> Subject: [Bro] PF_Ring and Bro - packet loss
> To: bro at bro.org
> Message-ID:
> <
> CAMKC1B16BSGSJcu_PAixFSV9+3Rz0+Tm68KwoB0GyygsPuYRcQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I'm experiencing high packet loss (15% -50%) with Bro 2.4 compiled with
> PF_Ring. PFcount (pfcount -i eth0 -e 1) shows 0% packet loss while
> /proc/net/pf_ring/PID shows the same number of dropped packets as broctl
> netstats. The github link contains all changes and performance steps I've
> taken so far along with output from PFcount, broctl, and ethtool. Has
> anyone else experienced similar performance issues or have recommendations
> to get my dropped packets as close to 0% as possible? Thanks
>
>
> Current config - https://gist.github.com/nate-ray/8b4d03eab49d11715398
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150911/272ff4ac/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 113, Issue 12
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150911/3b426819/attachment.html
More information about the Bro
mailing list