[Bro] High-CPU on just a single worker in the cluster
Azoff, Justin S
jazoff at illinois.edu
Thu Apr 14 10:11:25 PDT 2016
> On Apr 14, 2016, at 11:18 AM, Dave Crawford <bro at pingtrip.com> wrote:
>
>
> $ sudo tcpdump -n -i eth6 not ip and not arp -c10000 | grep ethertype | cut -f 2 -d ',' | sort | uniq -c
> 9980 ethertype Unknown (0x8903)
>
>
> A quick Google points to Cisco FabricPath Switching ( http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/fabricpath/configuration/guide/fp_switching.html)
>
> "The FabricPath hierarchical MAC address carries the reserved EtherType 0x8903."
>
> I suppose now is a good time to reach out to the Network Engineering team and ask about the SPAN placement in that datacenter.
>
> Thanks for helping me quickly navigate this issue!
>
> -Dave
Ah.. so there are probably two issues here: bro and pf_ring
Based on this image from your link
https://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/fabricpath/configuration/guide/fp_switching_files/fp_switching-1.jpg
the FP header is fixed size, so adding support for it to bro should be easy enough: handle that ether type, skip the right number of bytes (see iosource/Packet.cc)
That won't help with the pf_ring issue though, but you're probably best reaching out to the pf_ring people about this issue.
It's entirely possibly you can fix the issue with a different span configuration though.
--
- Justin Azoff
More information about the Bro
mailing list