Re: [Bro-Dev] Bro 2.5 Packet Drop Issue

Thu, 30 Aug 2018 13:30:03 -0700 

> On Aug 30, 2018, at 4:11 PM, Rajput, Jawad (CONTR) <jawad.raj...@hq.doe.gov> 
> wrote:
> 
> Hello Everyone,
>  
> I am reaching out with the hope that someone will be able to help us with an 
> issue we are having with Bro upgrade from 2.4.1 to 2.5.X.
>  
> We have a system with  12 core (3Ghz) ,128GB RAM, and 10G NIC (Intel X520-SR2 
> 10GbE Dual-port), monitoring between 1.5 - 2.5 Gbps traffic.
>  
> Bro 2.4.1 is working great and periodically drops 2-5% when traffic peaks at 
> ~ 2.5. However, when we upgrade to Bro 2.5.3/4 on the same exact system the 
> drops go up to 90%.
>  
> We are using CentOS-7 and tired installing Bro and Pfring from both rpm and 
> source without any luck. I wonder if anyone has seen this issue and can give 
> some clues to resolve this issue.
>  
> Bro Node Conf: 
> [manager]
> type=manager
> host=localhost
> #
> [proxy-1]
> type=proxy
> host=localhost
>  
> #
> [worker-1]
> type=worker
> host=localhost
> interface=ens1f1
> lb_method=pf_ring
> lb_procs=11
> pin_cpus=1,2,3,4,5,6,7,8,9,10,11

You're missing a logger process, adding one will make the cluster run better:

[logger]
type=logger
host=localhost


> [root@bro-test ~]# cat /proc/net/pf_ring/info
> PF_RING Version          : 7.3.0 (unknown)
> Total rings              : 11

you should have 1, not 11...

> Standard (non ZC) Options
> Ring slots               : 65534
> Slot version             : 17
> Capture TX               : No [RX only]
> IP Defragment            : No
> Socket Mode              : Standard
> Cluster Fragment Queue   : 0
> Cluster Fragment Discard : 0

Looks like you are having the issue where bro is not actually use pf_ring load 
balancing if you installed it from rpms.
What you're effectively doing is running 11 workers that are all receiving 100% 
of the traffic, so you are doing 11 times the work.

You can further confirm that this is the problem you are having by running

        broctl config | grep -i clusterid

and seeing if the id is set to 0:

        pfringclusterid = 0

if so, edit /opt/bro/etc/broctl.cfg and add

        PFRINGClusterID = 11

and broctl deploy to restart everything.

This is already fixed and won't happen again in bro >= 2.6... just keeps 
tripping people up on 2.5.x

You should also look into switching to the native bro pf_ring plugin or the bro 
af_packet plugin which are both better choices than using the pcap wrapper 
method.

— 
Justin Azoff

_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to