If your hardware doesn't support HLB, or if you for whatever reason don't want to use that load balancing, I've had good success with a Bro configuration that Seth Hall wrote for me. As background, my NIC is (currently) sending a full copy of the input stream to each of a dozen output streams. I'm going to be implementing HLB on my NIC, so I wanted to keep Seth's hard work around somewhere that it might also do somebody else some good.
This configuration allows for six workers. If you want a differing amount, change the total_lb_procs and the integers at the end of each restrict_filters statement appropriately.
event bro_init() &priority=-12
{
local total_lb_procs = 6;
if ( Cluster::node == "worker-1" )
restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 0) );
if ( Cluster::node == "worker-2" )
restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 1) );
if ( Cluster::node == "worker-3" )
restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 2) );
if ( Cluster::node == "worker-4" )
restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 3) );
if ( Cluster::node == "worker-5" )
restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 4) );
if ( Cluster::node == "worker-6" )
restrict_filters = table(["lb_filter"] = fmt("(ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d", total_lb_procs, total_lb_procs, 5) );
PacketFilter::install();
}
Update 16 September - Seth tells me that this is a terrible way to balance in Bro - he had some problems with this at another high-volume institution. Well, it worked for me. :)