[Bro] Bro and PF_RING Cluster ID
jones at tacc.utexas.edu
Thu Aug 2 12:47:31 PDT 2012
It is not necessary for PF_RING to use different cluster id per capture interface.
You can increase the the number of works per cluster id by changing CLUSTER_LEN linux/pf_ring.h from 8 to 16 or 32.
There seems other limitation in the number of works on host in bro whne you gove above 8 works on a hosts.
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Robert Rotsted
Sent: Tuesday, July 31, 2012 5:36 PM
To: bro at bro-ids.org
Subject: [Bro] Bro and PF_RING Cluster ID
I'm running a clustered Bro instance with workers capturing traffic on three PF_RING enabled e1000e interfaces.
While looking in /proc/net/pf_ring/ I noticed that all of my Bro workers belong to cluster id 21. Is it possible (or desirable) in Bro to create a PF_RING cluster id per capture interface?
I read that PF_RING allows a maximum of eight workers per cluster id, is this still true?
Bro mailing list
bro at bro-ids.org
More information about the Bro