[Bro] Troubleshooting crashes

Tritium Cat tritium.cat at gmail.com
Mon Sep 17 23:52:24 PDT 2012

On Tue, Sep 18, 2012 at 1:51 AM, Seth Hall <seth at icir.org> wrote:

> On Sep 17, 2012, at 9:34 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
> > The problem is the changes this triggers inside PF_RING does not work as
> expected, so I'm still working to prove that to the developer and find out
> why.  For the time being I'm using a slight mod to pf_ring as a workaround.
> There should be some other PF_RING configuration option for setting the
> tuple's to use for load balancing too.  It's a relatively new feature, I'll
> look into the variable soon.  You shouldn't have to make a modification to
> pf_ring.

Yeah I know, and I've read the PF_RING source for the changes you're
referring to.  You can select 2-tuple, 4-tuple, 5-tuple-tcp only with
2-tuple for all other traffic, regular 5-tuple, or the default which is
6-tuple (if the vlan_id is present, otherwise it is essentially 5-tuple).

The point I'm trying to make is the knobs within PF_RING that control that
behavior are not working properly when 802.1Q tags are involved.  My custom
patch just prevents the parsed vlan from being assigned.  All other
suggestions, including the recommended approach, do not work; bro spews
split_routing alarms for everything except my patched version.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120918/bc35c510/attachment.html 

More information about the Bro mailing list