PF_Ring and Bro - packet loss

nathanael_rayborn · September 11, 2015, 6:38pm

I’m experiencing high packet loss (15% -50%) with Bro 2.4 compiled with PF_Ring. PFcount (pfcount -i eth0 -e 1) shows 0% packet loss while /proc/net/pf_ring/PID shows the same number of dropped packets as broctl netstats. The github link contains all changes and performance steps I’ve taken so far along with output from PFcount, broctl, and ethtool. Has anyone else experienced similar performance issues or have recommendations to get my dropped packets as close to 0% as possible? Thanks

Current config - https://gist.github.com/nate-ray/8b4d03eab49d11715398

Jason_Williams · September 11, 2015, 7:07pm

Nathanael,

Just from initial glance you may want to allocate more slots in pfring…

Min Num Slots : 4096
Bucket Len : 8192
Slot Len : 8224 [bucket+header]
Tot Memory : 33697792
Tot Packets : 153298629
Tot Pkt Lost : 60413245
Tot Insert : 92885384
Tot Read : 92829402
Insert Offset : 3522336
Remove Offset : 3537608
Num Free Slots : 0 <--------------

maybe

modprobe pf_ring enable_tx_capture=0 min_num_slots=32768

Adam_Pumphrey1 · September 11, 2015, 7:55pm

Your broctl status output shows Bro is in standalone mode and not configured to take advantage of pf_ring. You’ll need to configure a local cluster with the pf_ring specific options set for the monitoring interface/worker. https://www.bro.org/sphinx-git/configuration/index.html#using-pf-ring

Something like this might work in your case; notice the lb_method and lb_procs settings for the worker:

[manager]
type=manager
host=127.0.0.1

[proxy-1]
type=proxy
host=127.0.0.1

[worker-1]
type=worker
host=127.0.0.1
interface=eth0
lb_method=pf_ring
lb_procs=2

I think you need at least 2 lb_procs for pf_ring to provide any performance gain. You can also set cpu affinity for the worker processes; this is recommended for better performance and cluster stability, but not required. If you do be sure to specify only physical cpu/core ID’s. I believe the general rule of thumb is to leave half of your physical cores freed up for the OS and other Bro processes. For example:

pin_cpus=2,3 # assumes a single quad-core with core ID’s 0-3

There are a few more pf_ring specific options available in BroControl’s config file. You can check them out here https://www.bro.org/sphinx/components/broctl/README.html#pfringclusterid

You might want to give “broctl capstats” and the capture-loss Bro script a try also; both are really helpful with troubleshooting traffic capture issues.

-Adam

Vito_Logrillo · September 15, 2015, 8:44am

Which is the maximum slot number that can be handled by Bro?
Thanks

Topic		Replies	Views
Dropped packets in PF_RING install Zeek	5	56	May 6, 2022
Bro Packet Loss / 10gb ixgbe / pf_ring Zeek	12	97	May 6, 2022
Bro 2.6.1 packet loss Zeek	4	59	May 6, 2022
Question about capture loss script vs. broctl netstats Zeek	9	151	May 6, 2022
Question about capture loss script vs. broctl netstats Zeek	5	44	May 6, 2022

PF_Ring and Bro - packet loss

Related Topics