[Bro] pf_ring on RHEL/CENTOS 6?
mattchess50 at gmail.com
Mon Nov 4 11:09:30 PST 2013
In case anyone is interested, I ended up installing PF_RING from source,
then rebuilding the Bro RPM with PF_RING support. It would be nice if the
native libpcap and tcpdump already had support for PF_RING, but that's not
currently the case. I'd rather install everything from RPMs, but having
Bro at least installed from a package should make updates a little easier.
Here are the basic steps:
1. Add the EPEL repo to the system but leave it disabled:
2. Remove conflicting packages: libpcap, tcpdump, cmake.
3. Install prerequisites: mpfr cpp ppl cloog-ppl gcc kernel-devel
pcre-devel libpcap-devel yum-plugin-priorities libnet flex bison gcc-c++
4. Install prerequisites from EPEL: libyaml libyaml-devel cmake28
5. Create a softlink for cmake pointing to the newer version from EPEL.
Build and Install PF_RING
1. Download the source from
2. Configure, make, and install the kernel module, libpcap, and tcpdump
3. Create an /etc/modprobe.d/pfring.conf entry to load the kernel module
4. Manually load the pf_ring module for now
5. Create an ldconfig file /etc/ld.so.conf.d/pfring.conf that contains
the path to the libpcap dynamic libraries
6. Run “ldconfig” to load the new config for now
Build the Bro RPM with PF_RING Support
1. Download the source from http://www.bro.org/download/index.html and
unpack it with a non-root user.
2. As that non-root user, go into the bro-2.1/pkg directory and edit the
check-cmake file so that the cmake check matches the version you have.
3. As the non-root user edit the make-rpm-packages file and add the
--with-pcap=/usr/local/pfring (or wherever you installed PF_RING) option to
the configure lines.
4. As the non-root user execute the make-rpm-packages script; the
packages will end up in the bro-2.1/build/ directory.
Install Bro from the newly built RPM package
It's running now with PF_RING and very few dropped packet notices.
# cat /proc/net/pf_ring/info
PF_RING Version : 5.6.1 ($Revision: exported$)
Total rings : 4
Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 3464
Cluster Fragment Discard : 1036837
On Wed, Oct 30, 2013 at 10:33 AM, Matt Stucky <mattchess50 at gmail.com>wrote:
> I've set up a Bro 2.1 instance with a network tap, but keep getting notice
> log entries of "PacketFilter::Dropped_Packets". I'm assuming this is
> because Bro is single threaded and it needs more workers to keep up with
> the traffic, so I'm trying to implement pf_ring to distribute the traffic
> across multiple workers. I've installed the pf_ring RPM package from ntop (
> http://www.nmon.net/packages/rpm/x86_64/PF_RING/) and that gets the
> kernel module loaded but seems to be lacking something still - probably
> linking libpcap to pf_ring? That's what I'm not sure about. After
> installing pf_ring from the RPM package and configuring Bro for multiple
> workers it starts up ok but is still dropping packets (all of the workers,
> per the notice log) and pf_ring doesn't appear to be used:
> # cat /proc/net/pf_ring/info
> PF_RING Version : 5.6.2 ($Revision: 6910$)
> Total rings : 0
> Standard (non DNA) Options
> Ring slots : 4096
> Slot version : 15
> Capture TX : No [RX only]
> IP Defragment : No
> Socket Mode : Standard
> Transparent mode : Yes [mode 0]
> Total plugins : 0
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
> Has anyone had any success with clustered Bro with pf_ring on RHEL/CENTOS,
> and did you have to compile it from source and re-compile libpcap? I'd
> prefer to stick with the RPM packages since it tends to make updating less
> problematic. I installed Bro 2.1 as an RPM package as well.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro