[Bro] Quick load balancing question

James Lay jlay at slave-tothe-box.net
Mon Oct 3 08:24:42 PDT 2016


So here's an instance of bro via command line with two nic's:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2278  0.0  0.0  66264  1468 ?        S    Sep20   0:00  \_ 
sudo /usr/local/bro/bin/bro --no-checksums -i eth0 -i ppp0 --filter not 
ip6 local Site::local_nets += { 192.168.1.0/24 }
root      2280 22.2  4.0 1484900 247056 ?      Sl   Sep20 4208:33      
\_ /usr/local/bro/bin/bro --no-checksums -i eth0 -i ppp0 --filter not 
ip6 local Site::local_nets += { 192.168.1.0/24 }

An instance of bro using broctl standalone, just one nic:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      7479  0.0  0.1  12572  2896 ?        S    09:18   0:00 
/bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p 
broctl -p broctl-live -p standalone -p local -p bro local.bro broctl 
broctl/standalone broctl/auto --no-checksums --filter not ip6
root      7485 25.9  2.8 523644 57328 ?        Rl   09:18   0:11 
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p 
standalone -p local -p bro local.bro broctl broctl/standalone 
broctl/auto --no-checksums --filter not ip6
root      7543  0.0  2.1 162880 42560 ?        SN   09:18   0:00 
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p 
standalone -p local -p bro local.bro broctl broctl/standalone 
broctl/auto --no-checksums --filter  not ip6


Lastly an instance using pf_ring load balancing, just one one nic:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      4072  0.0  0.0  12572   528 ?        S    Oct02   0:00 
/bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl 
-p broctl-live -p local -p logger local.bro broctl 
base/frameworks/cluster broctl/auto --no-checksums --filter not ipv6
root      4078  2.6  0.1 1365652 4040 ?        Sl   Oct02  41:53  \_ 
/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p logger 
local.bro broctl base/frameworks/cluster broctl/auto --no-checksums 
--filter not ipv6
root      4079  0.0  0.0 118428   832 ?        SN   Oct02   0:09      \_ 
/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p logger 
local.bro broctl base/frameworks/cluster broctl/auto --no-checksums 
--filter not ipv6
root      4121  0.0  0.0  12572   524 ?        S    Oct02   0:00 
/bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl 
-p broctl-live -p local -p manager local.bro broctl 
base/frameworks/cluster local-manager.bro broctl/auto --no-checksums 
--filter not ipv6
root      4127  3.7  0.4 119316 13592 ?        S    Oct02  58:03  \_ 
/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager 
local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 
--no-checksums --filter not ipv6
root      4128  0.0  0.0 118796   680 ?        SN   Oct02   0:07      \_ 
/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager 
local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 
--no-checksums --filter not ipv6
root      4161  0.0  0.0  12572   528 ?        S    Oct02   0:00 
/bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl 
-p broctl-live -p local -p proxy-1 local.bro broctl 
base/frameworks/cluster local-proxy broctl/auto --no-checksums --filter 
not ipv6
root      4167  3.7  0.2 111780  6344 ?        S    Oct02  58:13  \_ 
/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy-1 
local.bro broctl base/frameworks/cluster local-proxy broctl/auto 
--no-checksums --filter not ipv6
root      4186  0.0  0.0 118436   492 ?        SN   Oct02   0:07      \_ 
/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy-1 
local.bro broctl base/frameworks/cluster local-proxy broctl/auto 
--no-checksums --filter not ipv6
root      4225  0.0  0.0  12576   528 ?        S    Oct02   0:00 
/bin/bash /opt/bro/share/broctl/scripts/run-bro 1 -i eth0 -U .status -p 
broctl -p broctl-live -p local -p worker-1-2 local.bro broctl 
base/frameworks/cluster local-worker.bro broctl/auto --no-checksums 
--filter not ipv6
root      4239 17.8 11.8 540792 361052 ?       S    Oct02 278:21  \_ 
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p 
worker-1-2 local.bro broctl base/frameworks/cluster local-worker.bro 
broctl/auto --no-checksums --filter not ipv6
root      4245  0.0  8.6 380428 264796 ?       SN   Oct02   0:08      \_ 
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p 
worker-1-2 local.bro broctl base/frameworks/cluster local-worker.bro 
broctl/auto --no-checksums --filter not ipv6
root      4230  0.0  0.0  12576   528 ?        S    Oct02   0:00 
/bin/bash /opt/bro/share/broctl/scripts/run-bro 0 -i eth0 -U .status -p 
broctl -p broctl-live -p local -p worker-1-1 local.bro broctl 
base/frameworks/cluster local-worker.bro broctl/auto --no-checksums 
--filter not ipv6
root      4242 21.0 11.8 537128 362680 ?       S    Oct02 327:41  \_ 
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p 
worker-1-1 local.bro broctl base/frameworks/cluster local-worker.bro 
broctl/auto --no-checksums --filter not ipv6
root      4248  0.0  8.6 380436 264768 ?       SN   Oct02   0:08      \_ 
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p 
worker-1-1 local.bro broctl base/frameworks/cluster local-worker.bro 
broctl/auto --no-checksums --filter not ipv6

for the pf_ring I have the below:
[worker-1]
type=worker
host=localhost
interface=eth0
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1

So my question is twofold,...does each pinned cpu get a process, and, is 
there a way to get load balancing using just standalone, without needing 
the logger, worker, and proxy processes?  Thank you.

James


More information about the Bro mailing list