Did you compile both tcpdump and libpcap on the box inside of pfring source directory and confirm ldd shows that those libraries are actually called in bro? If you built the kernel module, tcpdump, and libpcap, but ldd shows that pf_ring’s libpcap isnt compiled into bro, you will see issues. Big ones.
Also, did you run set_irq_affinity $interface?
The only reason I can see Bro dropping packets on a pcap file would be if bro isn’t properly compiled against the correct libpcap. In theory, that shouldn’t happen either. But for sure on a live link, you will see this kind of drop rate in that situation.
Hi Philosnef,
I installed PF_RING from source and compiled libpcap and tcpdump from that folder.
Ldd supposes that the correct libpcap is used.
Is there another way to verify this?
[rosinger@slinky-3-4 examples]$ ldd /usr/local/bro/bin/bro | grep pcap
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f7d78387000)
As BRO is distributing the packets correctly and the number of packets match the number that PF_RING reports, I assume Bro is running correctly.
PF_RING seems to be the bigger issue …
Thanks for the IRQ affinity hint. After some investigation it turns out, that all my cores (28 logical) handle the interrupts of my interface:
[root@slinky-3-4 examples]# grep eno2 /proc/interrupts
43: 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IR-PCI-MSI-edge eno2
44: 49241082 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IR-PCI-MSI-edge eno2-TxRx-0
[root@slinky-3-4 examples]# cat /proc/irq/43/smp_affinity
fffffff
[root@slinky-3-4 examples]# cat /proc/irq/44/smp_affinity
fffffff
Do you think that this is a good/correct configuration?
Best,
Enno