[Bro] huge weird.log/conn.log
erik clark
philosnef at gmail.com
Thu Dec 1 12:25:13 PST 2016
Justin, any chance you might have that commentary stored anywhere? I spent
the past 3 hours trying to find ethtool settings for this, but have had no
success. The only thing I did find was
--set-priv-flags $iface rss-symmetric off
but I get no private flags found (for ixgbe nic). Other than that, I can
find nothing anywhere concerning this issue that seems to be here.
I did see:
https://media.readthedocs.org/pdf/jasonish-suricata/latest/jasonish-suricata.pdf
,
specifically:
---
Some NIC’s allow you to set it into a symmetric mode. The Intel X(L)710
card can do this in theory, but the drivers aren’t capable of enabling this
yet (work is underway to try to address this). Another way to address is by
setting a special “Random Secret Key” that will make the RSS symmetrical.
See http://www.ndsl.kaist.edu/~kyoungsoo/papers/TR-symRSS.pdf (PDF). In
most scenario’s however, the optimal solution is to reduce the number of
RSS queues to 1:
---
The pdf pointed to in this link is abstract and totally not useful in any
sort of practical way. That pdf (TR-symRSS.pdf) is purely academic and has
little, if any, use to us in this situation.
Setting the RSS queues to 1 doesn't seem like a very good solution to this
problem. The alternative is to just go back to pf_ring, which I am loathe
to do.
On Thu, Dec 1, 2016 at 1:46 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
> > On Dec 1, 2016, at 12:13 PM, erik clark <philosnef at gmail.com> wrote:
> >
> > Sorry this was supposed to go to the list as well:
> >
> > Hmm. I see
> >
> > FAIL: saw flow {tcp $ip $num $ip $num} on workers $num and $num.
> >
> > This is on RHEL7 with the latest kernel. How can I address what I am
> assuming is a failure of the kernel?
> >
>
> Yeah, that kernel does not work. I believe Michal said that if you
> upgrade the ixgb driver to the latest from intel and mess around with
> ethtool settings you can get it to work.
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161201/f05c45e3/attachment.html
More information about the Bro
mailing list