[Bro] Quick pf_ring question
seth at icir.org
Mon Aug 25 10:35:19 PDT 2014
On Aug 21, 2014, at 6:11 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> Hey all!
> So...where/how does one utilize pf_ring via command-line/local.bro?
> I'm not having much luck finding the info...thanks for any help.
You could take a look at the pf_ring plugin in BroControl. There are some special environment variables that need to be set.
The main one you probably are concerned with is: PCAP_PF_RING_CLUSTER_ID. Set this to some numeric value and use the same value for each worker you are running and the traffic should be balanced across all of your processes.
You should also probably set the PCAP_PF_RING_USE_CLUSTER_PER_FLOW to 1 as well.
Since you're running Bro manually, it might look like this:
PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1 PCAP_PF_RING_CLUSTER_ID=21 bro <your args>
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140825/dbb63e48/attachment.bin
More information about the Bro