[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Bro performance issues
From: William Jones <jones () tacc ! utexas ! edu>
Date: 2011-11-06 23:06:27
Message-ID: D0BD4A5C03717E40AC104854AF37B8C2169B94 () EXMBX01 ! austin ! utexas ! edu
[Download RAW message or body]
If just sent info@bro-ids.org three patch's to fix a few minor compatibility issues \
do to python version difference. A patch to export the PF_RING variables so that \
pf_ring libpcap can see PF_RING environment variables. A patch to serializes the \
bro works startup when opening multiple network interfaces when using PF_RING.
FYI
Seth
I have been able to get 8 works reading 8 interfaces to work properly with PF_RING. \
There is a limit of 8 slots per cluster id in PF_RING. There a good chance that it \
can be increased with out any performance losses, that will have to be tested. \
There may also may be some internal limitation with bro when the number of workers go \
above 8.
Bill Jones
-----Original Message-----
From: Martin Holste [mailto:mcholste@gmail.com]
Sent: Sunday, November 06, 2011 10:06 AM
To: Tomer Teller
Cc: Seth Hall; William Jones; bro@bro-ids.org
Subject: Re: [Bro] Bro performance issues
What do you get for broctl status?
On Sun, Nov 6, 2011 at 3:02 AM, Tomer Teller <djteller@gmail.com> wrote:
>
> Seth, here is my configuration:
>
>
>
> Bro 2.0beta
>
> Running on Debian GNU/Linux 6.0
>
>
>
> broctl config | grep pfring
>
> > pfringclusterid = 21
>
>
>
> ldd bro
>
> > linux-vdso.so.1 => (0x00007fff41be1000)
>
> > libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000)
>
> > libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000)
>
> > libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000)
>
> > libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000)
>
> > libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000)
>
> > libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000)
>
> > libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000)
>
> > libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000)
>
> > libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000)
>
> > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000)
>
> > libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000)
>
> > /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000)
>
> > libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000)
>
>
>
>
>
> cat /proc/net/pf_ring/*
>
> > PF_RING Version : 5.0.0 ($Revision: exported$)
>
> > Ring slots : 4096
>
> > Slot version : 13
>
> > Capture TX : Yes [RX+TX]
>
> > IP Defragment : No
>
> > Socket Mode : Standard
>
> > Transparent mode : Yes (mode 0)
>
> > Total rings : 0
>
> > Total plugins : 0
>
>
>
>
>
> for i in $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep
> -w 'PCAP_PF_RING_CLUSTER_ID'; done
>
>
>
> Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also
> tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW)
>
>
>
> Again, Traffic does not split between the workers, they see the same
> packets.
>
>
>
> On Nov 6, 2011, at 3:49, Seth Hall <seth@icir.org> wrote:
>
>
> On Nov 5, 2011, at 5:21 PM, William Jones wrote:
>
> Attached is a patch to fix the getenv problem. The were tow PCAP env
> variables that need a shell export statement.
>
> This will make PF_RING work so long as all the data is going into one
> interface or bonded interface.
>
>
> What shell are you using? There is something messed up because those
> environment variables are already set and I think don't think you should
> need those lines in run-bro. I haven't seen anyone else that has needed
> those lines at least.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic