[Zeek] High capture loss for some workers

Mark Gardner mkg at vt.edu
Tue Apr 23 13:41:32 PDT 2019


We are setting up a Zeek cluster consisting of a manager/logger and five
sensors. Each node uses the same hardware:
- 2.4 GHz AMD Epyc 7351P (16-core, 32-threads)
- 256 GB DDR3 ECC RAM
- Intel X520-T2 10 Gbps to Arista with 0.5m DAC
Configuration:
- Arista 7150S hashing on 5-tuple
- Gigamon sends to Arista via 4x10 Gbps
- Zeek v2.6-167 with AF_Packet
- 16 workers per sensor (total: 5x16=80 workers)

The capture loss was 50-70% until I remembered to turn off offloading. Now
it averages about 0.8%. Except that often 0-4 cores in a 1 hour summary
spike at 60-70% capture loss. There doesn't appear to be a pattern on which
core suffers the high loss. Searches for how to identify and fix the reason
for such large losses have failed to yield any suggestions for debugging
the problem. Suggestions?

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190423/c71777d5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6312 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190423/c71777d5/attachment-0001.bin 


More information about the Zeek mailing list