[Bro] Quick pf_ring question

Seth Hall seth at icir.org
Mon Aug 25 10:35:19 PDT 2014

On Aug 21, 2014, at 6:11 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> Hey all!
> So...where/how does one utilize pf_ring via command-line/local.bro?  
> I'm not having much luck finding the info...thanks for any help.

You could take a look at the pf_ring plugin in BroControl.  There are some special environment variables that need to be set.  

The main one you probably are concerned with is: PCAP_PF_RING_CLUSTER_ID.  Set this to some numeric value and use the same value for each worker you are running and the traffic should be balanced across all of your processes.

You should also probably set the PCAP_PF_RING_USE_CLUSTER_PER_FLOW to 1 as well.

Since you're running Bro manually, it might look like this:



Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140825/dbb63e48/attachment.bin 

More information about the Bro mailing list