[Bro] intel.log file stops getting generated.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 25 09:45:00 PST 2017 

Hi Justin,

Thanks for suggestions.
Here are the stats (Looks like bro using pf_ring correctly though):

$ ls -l /proc/net/pf_ring/
total 0
-r--r--r-- 1 root root 0 Jan 25 12:40 74966-em1.1612
-r--r--r-- 1 root root 0 Jan 25 12:40 74968-em1.1616
-r--r--r-- 1 root root 0 Jan 25 12:40 74969-em1.1618
-r--r--r-- 1 root root 0 Jan 25 12:40 74970-em1.1620
-r--r--r-- 1 root root 0 Jan 25 12:40 74977-em1.1615
-r--r--r-- 1 root root 0 Jan 25 12:40 74998-em1.1621
-r--r--r-- 1 root root 0 Jan 25 12:40 75001-em1.1614
-r--r--r-- 1 root root 0 Jan 25 12:40 75026-em1.1629
-r--r--r-- 1 root root 0 Jan 25 12:40 75027-em1.1631
-r--r--r-- 1 root root 0 Jan 25 12:40 75040-em1.1622
-r--r--r-- 1 root root 0 Jan 25 12:40 75042-em1.1619
-r--r--r-- 1 root root 0 Jan 25 12:40 75051-em1.1627
-r--r--r-- 1 root root 0 Jan 25 12:40 75072-em1.1633
-r--r--r-- 1 root root 0 Jan 25 12:40 75076-em1.1613
-r--r--r-- 1 root root 0 Jan 25 12:40 75077-em1.1623
-r--r--r-- 1 root root 0 Jan 25 12:40 75097-em1.1625
-r--r--r-- 1 root root 0 Jan 25 12:40 75102-em1.1632
-r--r--r-- 1 root root 0 Jan 25 12:40 75105-em1.1624
-r--r--r-- 1 root root 0 Jan 25 12:40 75106-em1.1630
-r--r--r-- 1 root root 0 Jan 25 12:40 75107-em1.1626
-r--r--r-- 1 root root 0 Jan 25 12:40 75109-em1.1628
-r--r--r-- 1 root root 0 Jan 25 12:40 75110-em1.1617

$  cat /proc/net/pf_ring/info
PF_RING Version          : 6.4.1 (unknown)
Total rings              : 22

Standard (non ZC) Options
Ring slots               : 32768
Slot version             : 16
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Total plugins            : 0
Cluster Fragment Queue   : 14140
Cluster Fragment Discard : 0

$ free
              total        used        free      shared  buff/cache
available
Mem:      131921372   130028924      684760       11916     1207688
1161016
Swap:       8388600     3253200     5135400


On Wed, Jan 25, 2017 at 12:23 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Jan 25, 2017, at 12:18 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > It turns out to be the performance issue.
> > I restarted the bro cluster and it started getting generated, but have
> another issue:
> > The bro sensors are utilizing almost 100% memory as well as some part of
> swap.
> >
> > We recently have upgraded the kernel and centos to 7.3 on bro cluster,
> as well as using latest pfring v6.4.1
> > We have 4 bro sensors each with 132G of memory and 24 core cpu @ 2.50GHz
> with 48 On-line CPU(s) (0-17)), and each running 22 bro processes.
>
> with pf_ring the first thing to check would be to verify that bro is using
> pf_ring correctly.  If it's not, you end up analyzing 100% of the traffic
> 22 times.
>
> If you do a
>
>     ls -l /proc/net/pf_ring/
>
> and
>
>     cat /proc/net/pf_ring/info
>
> it should show rings in use and one file per bro process, like:
>
> -r--r--r--. 1 root root 0 Jan 25 11:23 36549-p1p1.376
> -r--r--r--. 1 root root 0 Jan 25 11:23 36552-p1p1.369
> -r--r--r--. 1 root root 0 Jan 25 11:23 36561-p1p1.377
> -r--r--r--. 1 root root 0 Jan 25 11:23 36581-p1p1.372
> -r--r--r--. 1 root root 0 Jan 25 11:23 36594-p1p1.375
> -r--r--r--. 1 root root 0 Jan 25 11:23 36600-p1p1.378
> -r--r--r--. 1 root root 0 Jan 25 11:23 36608-p1p1.371
> -r--r--r--. 1 root root 0 Jan 25 11:23 36611-p1p2.373
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/bf89d0f9/attachment.html

More information about the Bro mailing list