[Bro] bro and pf_ring zc configuration success stories

Seth Hall seth at corelight.com
Mon Oct 2 06:46:52 PDT 2017


Hi radek,

Would you like to test using NETMAP too?  It's fairly easy to get going 
with it these days and I'd be more than happy to give you hand.  Seems 
worthwhile as a comparison point at least and it shouldn't take very 
long to get it setup.

   .Seth

On 29 Sep 2017, at 11:44, radek wrote:

> Hi!
> I'm back with results. I've created new test and ran 200 Mbits, 600 
> Mbit,
> 1Gbit then went all in with 8 Gbits.
> 1. You were right with traffic generator, previous test had some 
> parameters
> changed and was doing something funky with TCP. I've removed this and 
> above
> issues are to some extent gone.
> 2. With zbalance_ipc -n 20 and worker definition:
>
> [worker-0]
> type=worker
> host=localhost
> interface=pf_ring::zc:27 at 0
> pin_cpus=1
>
> I'm able to process 4.5 Gbit/s with all 20 cores loaded at 60 - 70 % 
> with
> minimal drop at bro
>
> [BroControl] > netstats
>
>    worker-0: 1506695586.298096 recvd=5465310 dropped=30118 
> link=5465310
>
>    worker-1: 1506695586.497686 recvd=5438281 dropped=9041 link=5438281
>
>    worker-2: 1506695586.701504 recvd=5498208 dropped=8756 link=5498208
>
>    worker-3: 1506695586.901398 recvd=5457893 dropped=9326 link=5457893
>
>    worker-4: 1506695587.101722 recvd=5472315 dropped=8877 link=5472315
>
>    worker-5: 1506695587.301448 recvd=5541810 dropped=10604 
> link=5541810
>
>    worker-6: 1506695587.501405 recvd=5556953 dropped=2022 link=5556953
>
>    worker-7: 1506695587.705590 recvd=5508997 dropped=2149 link=5508997
>
>    worker-8: 1506695587.905592 recvd=5526052 dropped=1955 link=5526052
>
>    worker-9: 1506695588.105445 recvd=5506942 dropped=2751 link=5506942
>
>   worker-10: 1506695588.305863 recvd=5597609 dropped=7534 link=5597609
>
>   worker-11: 1506695588.505499 recvd=5550657 dropped=4975 link=5550657
>
>   worker-12: 1506695588.705426 recvd=5578005 dropped=1152 link=5578005
>
>   worker-13: 1506695588.905554 recvd=5541178 dropped=90 link=5541178
>
>   worker-14: 1506695589.109446 recvd=5561273 dropped=3568 link=5561273
>
>   worker-15: 1506695589.309585 recvd=5552211 dropped=2850 link=5552211
>
>   worker-16: 1506695589.509799 recvd=5524173 dropped=7896 link=5524173
>
>   worker-17: 1506695589.709838 recvd=5565320 dropped=10923 
> link=5565320
>
>   worker-18: 1506695589.910352 recvd=5632122 dropped=9169 link=5632122
>
>   worker-19: 1506695590.113969 recvd=5603647 dropped=10448 
> link=5603647
>
>
>
> this drop occured at the beginning of test and stayed like this until 
> end
> (20 minutes)
>
> with zbalance_ipc - n 20 -r 0:dummy0 and so on for 20 workers defined 
> like
> this:
>
> [worker-0]
> type=worker
> host=localhost
> interface=pf_ring::dummy0
> pin_cpus=1
>
>
> I can process at around 3 Gbit/s and around 36 % of packets are 
> dropped at
> zbalance_ipc ingress (ixgbe NIC) (so it seems that bottleneck here is 
> zc -
>> dummy packets processing)
> Core designated for zbalance_ipc is loaded 100% during test , I'll 
> look
> into it next.
>
> So so far so good.
> I'll be posting updates on my findings
>
> I'm very grateful for your help.
> Thank you.
>
> Best regards
> Rado
>
>
>
> On 28 September 2017 at 19:17, radek <radoslawc at gmail.com> wrote:
>
>> Will do, I'll get back with results tomorrow as my day ended. Thanks 
>> for
>> your help so far.
>>
>> On 28 September 2017 at 19:13, Azoff, Justin S <jazoff at illinois.edu>
>> wrote:
>>
>>>
>>>> On Sep 28, 2017, at 12:55 PM, radek <radoslawc at gmail.com> wrote:
>>>>
>>>>> Can you configure your traffic generator to send it "real" 
>>>>> traffic?
>>>>
>>>> that's the setup, it is even called Real-World Traffic (TM) by 
>>>> vendor.
>>> currently that's the only way for me to have somewhat reproducible 
>>> test
>>> results in my setup.
>>>
>>>
>>> Can you set the rate to 200mbit then for a bit?  You need to get 
>>> things
>>> to a point where the workers are running properly without drops.
>>>
>>> Then once the configuration looks correct and bro is logging proper
>>> connections you can start ramping the rate back up.
>>>
>>> Based on the "error: 99.17%, 7562 out of 7625 connections are half
>>> duplex" from before, nothing was working properly... and 50% drops 
>>> alone
>>> wouldn't cause that.
>>>
>>>>>> Justin Azoff
>>>
>>>
>>


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171002/dd38b97a/attachment.html 


More information about the Bro mailing list