[Bro] Confused about bro pf_ring support

William Jones jones at tacc.utexas.edu
Wed May 8 12:36:35 PDT 2013

I just tried pf ring with the lasts bro.    The following is the worker node entry in node.cfg:

interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667

When a look at the conn.log file if find the following entries like the following:

1368039512.116220       hla3Z6U8RRb  40873   22      tcp     -       0.097901        0       96 OTH      F       0       dA      1       40      1       88      (empty) worker-1-1
1368039512.362164       lSJB3FANh21  40873   22      tcp     -       0.002922        48      0  OTH      F       0       DA      2       128     0       0       (empty) worker-1-3

I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.  

I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.   

Is there anyone elese using taps with pf_ring.   If so do you see anything wrong with my config?

Bill Jnes 

More information about the Bro mailing list