[Bro] Confused about bro pf_ring support

Jesse Bowling jessebowling at gmail.com
Wed May 8 12:45:55 PDT 2013


Hi Bill,

I configured my PF_RING enabled workers like:

[worker-1]
type=worker
host=10.10.10.10
interface=p2p1\;p2p2\;p2p3\;p2p4
lb_method=pf_ring
lb_procs=8


...I also had to make a change I referenced on-list:
***********************
So while this apparently fixes my issue:
--- control.py  2013-02-13 12:08:00.514656601 -0500
+++ control_mod.py      2013-02-13 12:09:38.382663593 -0500
@@ -808,7 +808,7 @@
     for (addr, interface) in hosts.keys():
         node = hosts[addr, interface]

-        capstats = [config.Config.capstatspath, "-i", interface, "-I",
str(interval), "-n", "1"]
+        capstats = [config.Config.capstatspath, "-i", '"' + interface +
'"', "-I", str(interval), "-n", "1"]

 # Unfinished feature: only consider a particular MAC. Works here for
capstats
 # but Bro config is not adapted currently so we disable it for now.

I cannot speak to how this might affect others, the system in general, or
where else this issue might crop up. I suspect that anywhere that involves
bash + interface names is likely to suffer unexpected results due to this
PF_RING style invocation...
***********************
I'm not sure if that has been changed in the main distro however...Might be
best to double check that file if you find your broctl cron jobs failing...
:)

Cheers,

Jesse


On Wed, May 8, 2013 at 3:36 PM, William Jones <jones at tacc.utexas.edu> wrote:

> I just tried pf ring with the lasts bro.    The following is the worker
> node entry in node.cfg:
>
> [worker-1]
> type=worker
> host=ids.tacc.utexas.edu.
> interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
> lb_method=pf_ring
> lb_procs=4
>
>
> When a look at the conn.log file if find the following entries like the
> following:
>
> 1368039512.116220       hla3Z6U8RRb     128.83.144.198  40873
> 129.114.62.11   22      tcp     -       0.097901        0       96 OTH
>  F       0       dA      1       40      1       88      (empty) worker-1-1
> 1368039512.362164       lSJB3FANh21     128.83.144.198  40873
> 129.114.62.11   22      tcp     -       0.002922        48      0  OTH
>  F       0       DA      2       128     0       0       (empty) worker-1-3
>
> I though that pf_ring hash flows so that the same flow always went to the
> same worker so that a worker saw all traffic for flow.
>
> I am using two dual port intel 520 nick to read packets from 10 GigE two
> port lacp pair off two taps.
>
> Is there anyone elese using taps with pf_ring.   If so do you see anything
> wrong with my config?
>
>
> Bill Jnes
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130508/0f4545a7/attachment.html 


More information about the Bro mailing list