[Bro] Confused about bro pf_ring support
jones at tacc.utexas.edu
Wed May 8 12:36:35 PDT 2013
I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg:
interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
When a look at the conn.log file if find the following entries like the following:
1368039512.116220 hla3Z6U8RRb 220.127.116.11 40873 18.104.22.168 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1
1368039512.362164 lSJB3FANh21 22.214.171.124 40873 126.96.36.199 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3
I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.
I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.
Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config?
More information about the Bro