[Bro] Anyone using PF_RING ZC with Bro yet?

Gary Faulkner gfaulkner.nsm at gmail.com
Wed Aug 13 21:14:25 PDT 2014


Thanks for the reply. I remembered you commenting on that and asked 
Alfredo from NTOP if it was supported yet and he indicated that you can 
actually do the multiple app thing now. He also mentioned that the 
daemon mode option isn't implemented within the new script.

For example I asked about doing something like this, but in ZC:

pfdnacluster_master -i dna0,dna1 -d -n 12,1 -c 21

Alfredo indicated I should be able to get similar results with the new 
script like this (excepting no built in -d mode):

zbalance_ipc -i zc:ethX,zc:ethY -n 12,1 -m 1 -c 21

That said I also seem to recall someone else on the bro list having some other issues such as with jumbo frames or missing packets, but don't know if those ever got resolved. ZC is initially tempting because you only need the one ZC license instead of separate licenses for the DNA driver and Libzero, plus not having to go back for ZC later, but that's only helpful if it is working well for people.


On 8/13/2014 10:42 PM, Seth Hall wrote:
> On Aug 13, 2014, at 11:33 PM, Gary Faulkner <gfaulkner.nsm at gmail.com> wrote:
>> I have a couple new machines to set up and I am curious if anyone has
>> upgraded from PF_RING DNA + Libzero to PF_RING ZC for use with Bro and
>> what your experience has been? Is it safe or preferred to upgrade to ZC
>> or to stick with the DNA/Libzero approach at this time?
> The PF_Ring plugin in 2.3 should support ZC interfaces from the ZC traffic balancing tool they provide.  One problem with it though is that the new ZC tool only support balancing the traffic to a single tool unlike the DNA load balancing tool which can load balance traffic multiple times out to different tools.
>    .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

More information about the Bro mailing list