I’m running Bro in a clustered configuration using PF_RING to have 8 separate workers on one box. Additionally, I have commented out almost everything in the default local.bro to run in Bro as efficiently as possible. Together, these 8 workers are using less than 20% of total CPU capacity.
However, we are experiencing capture loss consistently in the 50% range, even though CPUs are idle 80% of the time on average.
Does anyone have any experience with this? I would greatly appreciate the help.
Did you search the email list already or did you just join the list? Are you capturing the traffic from a SPAN port or a Tap? Is your network full of asymmetrical traffic/routing? Answers to these two questions first is pretty important IMO. I responded to a very similar question around 6 days ago or so on list…here’s what I said again:
Hey Drew,
I’ve been on the list for over a year, I tried searching to see similar issues but I didn’t find it. We are capturing from a span port, we have 3 edge routers and tons of asymmetrical routing. We are experiencing packet loss at such a high rate, we believe the error might be upstream (thanks to Seth)! We are going to try passive taps instead of capturing from SPAN ports.
PF_RING is installed with DKMS. All offloading has been disabled and I have been checking reporter.log for invalid checksums (none so far). CPU pinning is enabled. Though I did I did not know about ring slots for PF_RING, I do not think our network at 3Gbps requires increasing the threshold from my research.
Thanks so much, you were on point with your questions.
Glad to hear you’re now on the right track! You’re very welcome. FWIW I think the other person on the other similar thread I copied my reply from might not have known about installing PF_RING with DKMS so wanted to cover possible kernel module issues etc… I was going to guess your issue was upstream based on what you described in your first email but I didn’t want to speculate too much heh. Taps are def. the way to go if you have the option to use them instead of SPAN ports, for sure.
Best regards,
-Drew