[Bro] bro and pf_ring zc configuration success stories

radek radoslawc at gmail.com
Tue Oct 3 07:00:58 PDT 2017 

Hi!
Sure, this looks interesting, let me get back to you once setup is ready.
Best regards
Rado

On 2 October 2017 at 15:46, Seth Hall <seth at corelight.com> wrote:

> Hi radek,
>
> Would you like to test using NETMAP too? It's fairly easy to get going
> with it these days and I'd be more than happy to give you hand. Seems
> worthwhile as a comparison point at least and it shouldn't take very long
> to get it setup.
>
> .Seth
>
> On 29 Sep 2017, at 11:44, radek wrote:
>
> Hi!
> I'm back with results. I've created new test and ran 200 Mbits, 600 Mbit,
> 1Gbit then went all in with 8 Gbits.
> 1. You were right with traffic generator, previous test had some
> parameters changed and was doing something funky with TCP. I've removed
> this and above issues are to some extent gone.
> 2. With zbalance_ipc -n 20 and worker definition:
>
> [worker-0]
> type=worker
> host=localhost
> interface=pf_ring::zc:27 at 0
> pin_cpus=1
>
> I'm able to process 4.5 Gbit/s with all 20 cores loaded at 60 - 70 % with
> minimal drop at bro
>
> [BroControl] > netstats
>
>    worker-0: 1506695586.298096 recvd=5465310 dropped=30118 link=5465310
>
>    worker-1: 1506695586.497686 recvd=5438281 dropped=9041 link=5438281
>
>    worker-2: 1506695586.701504 recvd=5498208 dropped=8756 link=5498208
>
>    worker-3: 1506695586.901398 recvd=5457893 dropped=9326 link=5457893
>
>    worker-4: 1506695587.101722 recvd=5472315 dropped=8877 link=5472315
>
>    worker-5: 1506695587.301448 recvd=5541810 dropped=10604 link=5541810
>
>    worker-6: 1506695587.501405 recvd=5556953 dropped=2022 link=5556953
>
>    worker-7: 1506695587.705590 recvd=5508997 dropped=2149 link=5508997
>
>    worker-8: 1506695587.905592 recvd=5526052 dropped=1955 link=5526052
>
>    worker-9: 1506695588.105445 recvd=5506942 dropped=2751 link=5506942
>
>   worker-10: 1506695588.305863 recvd=5597609 dropped=7534 link=5597609
>
>   worker-11: 1506695588.505499 recvd=5550657 dropped=4975 link=5550657
>
>   worker-12: 1506695588.705426 recvd=5578005 dropped=1152 link=5578005
>
>   worker-13: 1506695588.905554 recvd=5541178 dropped=90 link=5541178
>
>   worker-14: 1506695589.109446 recvd=5561273 dropped=3568 link=5561273
>
>   worker-15: 1506695589.309585 recvd=5552211 dropped=2850 link=5552211
>
>   worker-16: 1506695589.509799 recvd=5524173 dropped=7896 link=5524173
>
>   worker-17: 1506695589.709838 recvd=5565320 dropped=10923 link=5565320
>
>   worker-18: 1506695589.910352 recvd=5632122 dropped=9169 link=5632122
>
>   worker-19: 1506695590.113969 recvd=5603647 dropped=10448 link=5603647
>
>
>
> this drop occured at the beginning of test and stayed like this until end
> (20 minutes)
>
> with zbalance_ipc - n 20 -r 0:dummy0 and so on for 20 workers defined like
> this:
>
> [worker-0]
> type=worker
> host=localhost
> interface=pf_ring::dummy0
> pin_cpus=1
>
>
> I can process at around 3 Gbit/s and around 36 % of packets are dropped at
> zbalance_ipc ingress (ixgbe NIC) (so it seems that bottleneck here is zc -
> > dummy packets processing)
> Core designated for zbalance_ipc is loaded 100% during test , I'll look
> into it next.
>
> So so far so good.
> I'll be posting updates on my findings
>
> I'm very grateful for your help.
> Thank you.
>
> Best regards
> Rado
>
>
>
> On 28 September 2017 at 19:17, radek <radoslawc at gmail.com> wrote:
>
>> Will do, I'll get back with results tomorrow as my day ended. Thanks for
>> your help so far.
>>
>> On 28 September 2017 at 19:13, Azoff, Justin S <jazoff at illinois.edu>
>> wrote:
>>
>>>
>>> > On Sep 28, 2017, at 12:55 PM, radek <radoslawc at gmail.com> wrote:
>>> >
>>> > > Can you configure your traffic generator to send it "real" traffic?
>>> >
>>> > that's the setup, it is even called Real-World Traffic (TM) by vendor.
>>> currently that's the only way for me to have somewhat reproducible test
>>> results in my setup.
>>>
>>>
>>> Can you set the rate to 200mbit then for a bit?  You need to get things
>>> to a point where the workers are running properly without drops.
>>>
>>> Then once the configuration looks correct and bro is logging proper
>>> connections you can start ramping the rate back up.
>>>
>>> Based on the "error: 99.17%, 7562 out of 7625 connections are half
>>> duplex" from before, nothing was working properly... and 50% drops alone
>>> wouldn't cause that.
>>>
>>>>>> Justin Azoff
>>>
>>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171003/6d0a5ec3/attachment.html

More information about the Bro mailing list