I read from multiple interfaces per worker, a consequence of of using taps to monitor a two port 10 GigE LACP pair. The net
I can't use PF_ring sense bro does not synchronizes the start up of each worker. Sterilized the startup it would allow a single work to get same has function for each interface. The a good chanes that a worker could end up with hash function in pf_Ring that are not the same.
Here is what my worker config look like:
This is fixing a different problem. People have been having trouble monitoring two separate links that don't see split routing. The problem you're encountering is something that most people have been fixing by merging the traffic streams before sending them into the analysis box with a separate piece of hardware (it would typically get load balanced at the same time too).
.Seth
I understand what problem was fixed. I was hoping that some in the bro group would recognize that there are more problems with pf_ring and bro that the current set of problems being talked about.
I merged packet streams before and found that method didn't solve my drop packet problems. What did was allocating enough packet space in the kernel per interface and having bro read from each interface.
Right now I am monitoring 2 10 GigE lacp pair. I about to put a system so that I can monitor a 4 10 GigE lacp set up.
You really should investigate what it takes keep up with multiple 10 GigE interfaces lacp interaces. You might come to the different conclusion the usefulness merging interface in the kernel kernel.