[Bro] Bro-2.5.2 and PF_RING 6.7 not load balancing properly
Lamps, Jereme
jlamps at sandia.gov
Tue Jan 30 12:07:29 PST 2018
It appears PF_RING is not properly load balancing between Bro instances. For example, I have a single Bro node with 5 bro procs. Every entry in http.log is duplicated 5 times (exact timestamp and all fields are identical except the UID). My conclusion is pf_ring is not splitting the traffic and that all procs are seeing all the traffic.
my node.cfg:
[bro-worders]
type=worker
host=localhost
interface=eth5
lb_method=pf_ring
lb_procs=5
pf_ring was loaded with:
enable_tx_capture=0 min_num_slots=32768
Bro is correctly linked to libpcap libraries:
ldd /usr/local/bro/bin/bro | grep pcap
libpcap.so.1 => /opt/pfring-6.6/lib/libpcap.so.1 (0x00007effe684d000)
pf_ring info:
[root at bro-box]# cat /proc/net/pf_ring/info
PF_RING Version : 6.7.0 (dev:9b0e7c81718edb0ff6d070793bc868e3c3456bd5)
Total rings : 6
Standard (non ZC) Options
Ring slots : 32768
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
I am not sure where to go from here. Does anyone have any suggestions?
Jereme Lamps?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180130/d39d28de/attachment.html
More information about the Bro
mailing list