[Bro] Confused about bro pf_ring support
jones at tacc.utexas.edu
Wed May 8 13:47:32 PDT 2013
I change my interface line to mach yours. Now I don’t see any pf_ring entries that indecat that pf_ring is active in /proc/net/pf_ring/
I should see entry like the following for each open device: 8115-p1p1.667.9.
Could you check your system /proc/net/pf_ring and see you are really using pf_ring.
From: Jesse Bowling [mailto:jessebowling at gmail.com]
Sent: Wednesday, May 08, 2013 2:46 PM
To: William Jones
Cc: bro at bro.org
Subject: Re: [Bro] Confused about bro pf_ring support
I configured my PF_RING enabled workers like:
...I also had to make a change I referenced on-list:
So while this apparently fixes my issue:
--- control.py 2013-02-13 12:08:00.514656601 -0500
+++ control_mod.py 2013-02-13 12:09:38.382663593 -0500
@@ -808,7 +808,7 @@
for (addr, interface) in hosts.keys():
node = hosts[addr, interface]
- capstats = [config.Config.capstatspath, "-i", interface, "-I", str(interval), "-n", "1"]
+ capstats = [config.Config.capstatspath, "-i", '"' + interface + '"', "-I", str(interval), "-n", "1"]
# Unfinished feature: only consider a particular MAC. Works here for capstats
# but Bro config is not adapted currently so we disable it for now.
I cannot speak to how this might affect others, the system in general, or where else this issue might crop up. I suspect that anywhere that involves bash + interface names is likely to suffer unexpected results due to this PF_RING style invocation...
I'm not sure if that has been changed in the main distro however...Might be best to double check that file if you find your broctl cron jobs failing... :)
On Wed, May 8, 2013 at 3:36 PM, William Jones <jones at tacc.utexas.edu<mailto:jones at tacc.utexas.edu>> wrote:
I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg:
interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
When a look at the conn.log file if find the following entries like the following:
1368039512.116220 hla3Z6U8RRb 188.8.131.52 40873 184.108.40.206 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1
1368039512.362164 lSJB3FANh21 220.127.116.11 40873 18.104.22.168 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3
I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.
I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.
Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config?
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro