[Bro] Issue: load balancer PF_RING drops 25% of incoming packets

Rosinger, Enno (DualStudy) enno.rosinger at hpe.com
Wed Jul 27 11:31:34 PDT 2016 

Hi Philosnef,

I installed PF_RING from source and compiled libpcap and tcpdump from that folder.
Ldd supposes that the correct libpcap is used.
Is there another way to verify this?

[rosinger at slinky-3-4 examples]$ ldd /usr/local/bro/bin/bro | grep pcap
        libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f7d78387000)

As BRO is distributing the packets correctly and the number of packets match the number that PF_RING reports, I assume Bro is running correctly.
PF_RING seems to be the bigger issue ..

Thanks for the IRQ affinity hint. After some investigation it turns out, that all my cores (28 logical) handle the interrupts of my interface:
[root at slinky-3-4 examples]# grep eno2 /proc/interrupts
  43:          1          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0  IR-PCI-MSI-edge      eno2
  44:   49241082          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0          0  IR-PCI-MSI-edge      eno2-TxRx-0
[root at slinky-3-4 examples]# cat /proc/irq/43/smp_affinity
fffffff
[root at slinky-3-4 examples]# cat /proc/irq/44/smp_affinity
fffffff

Do you think that this is a good/correct configuration?

Best,
Enno


From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of philosnef
Sent: Mittwoch, 27. Juli 2016 06:52
To: bro at bro.org
Subject: [Bro] Issue: load balancer PF_RING drops 25% of incoming packets

Did you compile both tcpdump and libpcap on the box inside of pfring source directory and confirm ldd shows that those libraries are actually called in bro? If you built the kernel module, tcpdump, and libpcap, but ldd shows that pf_ring's libpcap isnt compiled into bro, you will see issues. Big ones.

Also, did you run set_irq_affinity $interface?

The only reason I can see Bro dropping packets on a pcap file would be if bro isn't properly compiled against the correct libpcap. In theory, that shouldn't happen either. But for sure on a live link, you will see this kind of drop rate in that situation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160727/82491f6e/attachment.html

More information about the Bro mailing list