Bro 2.6.1 packet loss

Zeek
1

We are testing the latest release on our sensors and are seeing larger packet drops than the previous 2.5.5.

We are running a local cluster with the following

node.cfg:
[manager]
localhost

[logger]
localhost

[proxy-1]
localhost

[worker-1]
localhost
lb_method = pf_ring
lb_procs = 20
pin_cpus = 0-19

System:
Xeon D-1587 16 cores, 32 logical, 1.7 Ghz
128GB DDR4 2133Mhz
8TB SSD
Intel 10GBase-T X557

We are dropping traffic @ 250 Mb/s with this config. We have already tuned the BIOS, NIC and sysctl.d. Did the netstats command get updated in the latest release? We did not see this poor performance with bro 2.5.5. Can you provide any other suggestions?

Also, did the pf_ring plugin get removed?

R,
CB

2

You have to use bro-pkg manager to get the pf_ring plugin now.

3

Is this your actual configuration? I don't even see an interface to sniff, and where you've specified "localhost" seems to not have the associated configuration key.

Based on your question about pf_ring too, it sounsd like you might not actually be load balancing your traffic. Are you having duplicate logs?

   .Seth

4

Hi Seth,

Thank you for the response. It is my configuration. eth0 is the capture interface. I figured out the issue based on your duplicate log question.

In node.cfg, when using lb_method=pf_ring, i belive the cluster ID is supposed to be automatically assigned. If you look at the output of “broctl config” it shows pfringclusterid = 21, however, that is not the case. I had to explicitly assign the cluster ID in broctl.cfg like this:

pfringclusterid = 21

This might be good to include in the documentation here: https://www.zeek.org/documentation/load-balancing.html

Thanks again,
CB