[Bro] Bro Packet Loss / 10gb ixgbe / pf_ring

Gary Faulkner gfaulkner.nsm at gmail.com
Fri Jan 8 09:25:40 PST 2016 

That last bit about only processing 8k packets sounds almost like 
PF_RING might be stuck in demo mode for ZC (runs for 10 secs or so) and 
then stops. This could mean that PF_RING isn't seeing your license file. 
Any chance it can't read the files in /etc/pf_ring/ or that there is a 
PATH problem somewhere?

On 1/8/16 10:24 AM, Nash, Paul wrote:
> Thanks Seth - I have my node.cfg to point to zc:eth3
>
> interface=zc:eth3
>
> Upon running broctl cleanup/deploy, I’m seeing that bro is called with only "-i zc:eth3”.  I tried calling it with “zc:2” (cluster ID) and zbalance_ipc handed out 8k packets before the bro workers crashed.
>
>   -Paul
>
>
>
>
> On 1/8/16, 10:28 AM, "Seth Hall" <seth at icir.org> wrote:
>
>>> On Jan 7, 2016, at 4:37 PM, Nash, Paul <Paul.Nash at tufts.edu> wrote:
>>>
>>> I have a license for ZC, and if I change the interface from eth3 to zc:eth3, it will spawn up 16 workers, but only one of them is receiving any traffic.  I’m assuming that it is looking at zc:eth3 at 0 only.   Netstats proves that out.   If I run pfcount –I zc at eth3, it will show me that I’m receiving ~1gbp/s of traffic on the interface and not dropping anything.
>> ?
>> If you make the line “interface=zc:eth3”, the pf_ring plugin for broctl should automatically change the interface that each Bro process is sniffing to the correct name as you’ve indicated (zc:eth3@[0-15]).  Configure it that way and the check with ps what interface is being sniffed (you will see it as part of the command line that broctl is executing).
>>
>> I added support for ZC to that plugin for the 2.4 release and I got it working and validated.  There are some issues with this path though because if a Bro process crashes or is shut down you will need to restart zbalance_ipc as well in order for that output ring to be reconnected.
>>
>>   .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list