[Bro] High-CPU on just a single worker in the cluster
Dave Crawford
bro at pingtrip.com
Thu Apr 14 08:18:17 PDT 2016
$ sudo tcpdump -n -i eth6 not ip and not arp -c10000 | grep ethertype | cut -f 2 -d ',' | sort | uniq -c
9980 ethertype Unknown (0x8903)
A quick Google points to Cisco FabricPath Switching ( http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/fabricpath/configuration/guide/fp_switching.html <http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/fabricpath/configuration/guide/fp_switching.html>)
"The FabricPath hierarchical MAC address carries the reserved EtherType 0x8903."
I suppose now is a good time to reach out to the Network Engineering team and ask about the SPAN placement in that datacenter.
Thanks for helping me quickly navigate this issue!
-Dave
> On Apr 14, 2016, at 10:41 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
>
>> On Apr 14, 2016, at 9:55 AM, Dave Crawford <bro at pingtrip.com> wrote:
>>
>>
>> You may be on to something with the non-ip traffic... there is a drastic difference between the two datacenters:
>>
>> WIN
>> 1460641772.239436 pkts=10414545 kpps=208.2 kbytes=5732528 mbps=938.6 nic_pkts=10414545 nic_drops=0 u=104675 t=3627503 i=307 o=405 nonip=6681655
>>
>> MID
>> 1460641723.573448 pkts=9553569 kpps=178.9 kbytes=6561123 mbps=1006.6 nic_pkts=9553569 nic_drops=0 u=174140 t=9373195 i=267 o=934 nonip=5033
>>
>
> Great.. just what I was thinking. At this point you should be able to just run something like
>
> tcpdump -n -c 1000 'not ip'
>
> on the WIN box
>
> and see exactly what this traffic is.. then we can figure out what to do about it...
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160414/356f3415/attachment.html
More information about the Bro
mailing list