[Bro] Confused about bro pf_ring support

William Jones jones at tacc.utexas.edu
Wed May 8 13:47:32 PDT 2013

I change my  interface line to mach yours.  Now I don’t see any pf_ring entries that indecat that pf_ring is active in /proc/net/pf_ring/

I should see entry like the following for each open device: 8115-p1p1.667.9.

Could you check your system /proc/net/pf_ring and see you are really using pf_ring.

From: Jesse Bowling [mailto:jessebowling at gmail.com]
Sent: Wednesday, May 08, 2013 2:46 PM
To: William Jones
Cc: bro at bro.org
Subject: Re: [Bro] Confused about bro pf_ring support

Hi Bill,
I configured my PF_RING enabled workers like:


...I also had to make a change I referenced on-list:
So while this apparently fixes my issue:
--- control.py  2013-02-13 12:08:00.514656601 -0500
+++ control_mod.py      2013-02-13 12:09:38.382663593 -0500
@@ -808,7 +808,7 @@
     for (addr, interface) in hosts.keys():
         node = hosts[addr, interface]

-        capstats = [config.Config.capstatspath, "-i", interface, "-I", str(interval), "-n", "1"]
+        capstats = [config.Config.capstatspath, "-i", '"' + interface + '"', "-I", str(interval), "-n", "1"]

 # Unfinished feature: only consider a particular MAC. Works here for capstats
 # but Bro config is not adapted currently so we disable it for now.

I cannot speak to how this might affect others, the system in general, or where else this issue might crop up. I suspect that anywhere that involves bash + interface names is likely to suffer unexpected results due to this PF_RING style invocation...
I'm not sure if that has been changed in the main distro however...Might be best to double check that file if you find your broctl cron jobs failing... :)



On Wed, May 8, 2013 at 3:36 PM, William Jones <jones at tacc.utexas.edu<mailto:jones at tacc.utexas.edu>> wrote:
I just tried pf ring with the lasts bro.    The following is the worker node entry in node.cfg:

interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667

When a look at the conn.log file if find the following entries like the following:

1368039512.116220       hla3Z6U8RRb  40873   22      tcp     -       0.097901        0       96 OTH      F       0       dA      1       40      1       88      (empty) worker-1-1
1368039512.362164       lSJB3FANh21  40873   22      tcp     -       0.002922        48      0  OTH      F       0       DA      2       128     0       0       (empty) worker-1-3

I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.

I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.

Is there anyone elese using taps with pf_ring.   If so do you see anything wrong with my config?

Bill Jnes

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130508/903d9505/attachment.html 

More information about the Bro mailing list