[Bro] Bro Packet Loss / 10gb ixgbe / pf_ring
Seth Hall
seth at icir.org
Fri Jan 8 07:28:42 PST 2016
> On Jan 7, 2016, at 4:37 PM, Nash, Paul <Paul.Nash at tufts.edu> wrote:
>
> I have a license for ZC, and if I change the interface from eth3 to zc:eth3, it will spawn up 16 workers, but only one of them is receiving any traffic. I’m assuming that it is looking at zc:eth3 at 0 only. Netstats proves that out. If I run pfcount –I zc at eth3, it will show me that I’m receiving ~1gbp/s of traffic on the interface and not dropping anything.
If you make the line “interface=zc:eth3”, the pf_ring plugin for broctl should automatically change the interface that each Bro process is sniffing to the correct name as you’ve indicated (zc:eth3@[0-15]). Configure it that way and the check with ps what interface is being sniffed (you will see it as part of the command line that broctl is executing).
I added support for ZC to that plugin for the 2.4 release and I got it working and validated. There are some issues with this path though because if a Bro process crashes or is shut down you will need to restart zbalance_ipc as well in order for that output ring to be reconnected.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list