Thank you for the response. It is my configuration. eth0 is the capture interface. I
figured out the issue based on your duplicate log question.
In node.cfg, when using lb_method=pf_ring, i belive the cluster ID is supposed to be
automatically assigned. If you look at the output of "broctl config" it shows
pfringclusterid = 21, however, that is not the case. I had to explicitly assign the
cluster ID in broctl.cfg like this:
pfringclusterid = 21
This might be good to include in the documentation here:
From: COLIN BLAIR <mnmblair(a)hotmail.com>
Sent: Wednesday, January 23, 2019 1:03 PM
Subject: Bro 2.6.1 packet loss
We are testing the latest release on our sensors and are seeing larger packet drops than
the previous 2.5.5.
We are running a local cluster with the following
lb_method = pf_ring
lb_procs = 20
pin_cpus = 0-19
Xeon D-1587 16 cores, 32 logical, 1.7 Ghz
128GB DDR4 2133Mhz
Intel 10GBase-T X557
We are dropping traffic @ 250 Mb/s with this config. We have already tuned the BIOS, NIC
and sysctl.d. Did the netstats command get updated in the latest release? We did not see
this poor performance with bro 2.5.5. Can you provide any other suggestions?
Also, did the pf_ring plugin get removed?