[Bro] Fwd: Configure error linking libpcap and pthread

Daniel Thayer dnthayer at illinois.edu
Fri Aug 29 12:05:11 PDT 2014


Another thing to check is to search the output of "broctl config"
for "pfringclusterid" (it must be set to a non-zero value if you
want to use PF_RING).



On 08/29/2014 01:49 PM, Doug Burks wrote:
> Based on the following lines, it looks like Bro is running in standalone mode:
> Appl. Name         : <unknown>
> Cluster Id         : 0
>
> If it were running in cluster mode, I would expect to see something
> like the following instead:
> Appl. Name         : bro-eth3
> Cluster Id         : 21
>
> Have you double-checked your node.cfg?
>
> Have you tried the following?
> sudo broctl install && sudo broctl restart
>
> On Fri, Aug 29, 2014 at 11:31 AM, Joe Blow <blackhole.em at gmail.com> wrote:
>> It sure is.  Here is what it's telling me from the proc fs:
>>
>> # cat /proc/net/pf_ring/53559-eth3.103
>> Bound Device(s)    : eth3
>> Active             : 1
>> Breed              : Non-DNA
>> Sampling Rate      : 1
>> Capture Direction  : RX+TX
>> Socket Mode        : RX+TX
>> Appl. Name         : <unknown>
>> IP Defragment      : No
>> BPF Filtering      : Enabled
>> # Sw Filt. Rules   : 0
>> # Hw Filt. Rules   : 0
>> Poll Pkt Watermark : 1
>> Num Poll Calls     : 1
>> Channel Id Mask    : 0xFFFFFFFF
>> Cluster Id         : 0
>> Slot Version       : 16 [6.0.2]
>> Min Num Slots      : 32768
>> Bucket Len         : 8192
>> Slot Len           : 8232 [bucket+header]
>> Tot Memory         : 269758464
>> Tot Packets        : 220334266
>> Tot Pkt Lost       : 74243221
>> Tot Insert         : 146091045
>> Tot Read           : 145749734
>> Insert Offset      : 136479200
>> Remove Offset      : 136550784
>> TX: Send Ok        : 0
>> TX: Send Errors    : 0
>> Reflect: Fwd Ok    : 0
>> Reflect: Fwd Errors: 0
>> Num Free Slots     : 0
>>
>>
>> This is where i'm seeing tons of the packet loss.  I've got snort running
>> with PF_RING on the same box with 8 threads, 0 packet loss.  Any ideas?
>>
>> Cheers,
>>
>> JB
>>
>>
>> On Fri, Aug 29, 2014 at 10:58 AM, Doug Burks <doug.burks at gmail.com> wrote:
>>>
>>> It's possible that Bro is not actually using PF_RING and is actually
>>> falling back to standard libpcap.  Have you checked /proc/net/pf_ring/
>>> to see if there is evidence of Bro using PF_RING?
>>>
>>> On Fri, Aug 29, 2014 at 10:53 AM, Joe Blow <blackhole.em at gmail.com> wrote:
>>>> So i've gone and recompiled with PF_RING 6.  I have everything working
>>>> and
>>>> using PF_RING correctly, but i'm still seeing packet loss (around 25% on
>>>> a
>>>> 400-450mb/s link).   I was only ever able to get Bro working with
>>>> "Transparent mode = 0" and not 2 or 1.  I might be doing something
>>>> completely wrong, but whenever i start BRO, i only ever see one thread
>>>> peaking at 100%. Here is my node configuration:
>>>>
>>>> [worker-0]
>>>> type=worker
>>>> host=10.10.10.10
>>>> interface=eth3
>>>> lb_method=pf_ring
>>>> lb_procs=12
>>>>
>>>> Any ideas as to why i'm only getting one thread seeing the bro traffic?
>>>> Excuse my ignorance.
>>>>
>>>> Cheers,
>>>>
>>>> JB
>>>>
>>>>
>>>> On Thu, Aug 28, 2014 at 7:06 PM, Joe Blow <blackhole.em at gmail.com>
>>>> wrote:
>>>>>
>>>>> Doug Burks was quick to point out that i didn't export LIBS or LDFLAGS.
>>>>>
>>>>> I would have NEVER guessed this... thanks a thousand times over for
>>>>> this
>>>>> tidbit.  Configure finished just fine.  Making now.  Will update once
>>>>> i've
>>>>> got it up and load balanced.
>>>>>
>>>>> <code>
>>>>>
>>>>> export LDFLAGS="-Wl,--no-as-needed -lrt"
>>>>>
>>>>> export LIBS="-lrt -lnuma"
>>>>>
>>>>> </code>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> JB
>>>>>
>>>>>
>>>>> On Thu, Aug 28, 2014 at 6:52 PM, Doug Burks <doug.burks at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Hi Joe,
>>>>>>
>>>>>> When I packaged Bro 2.3 and PF_RING 6.0.2, I had to do the following:
>>>>>>
>>>>>> export LDFLAGS := $(LDFLAGS) -Wl,--no-as-needed -lrt
>>>>>> export LIBS := $(LIBS) -lrt -lnuma
>>>>>>
>>>>>> Depending on your configuration, you may also need to include
>>>>>> -lpthread in your LIBS.
>>>>>>
>>>>>> On Thu, Aug 28, 2014 at 5:52 PM, Joe Blow <blackhole.em at gmail.com>
>>>>>> wrote:
>>>>>>> Hey all,
>>>>>>>
>>>>>>> I'm having a really tough time getting PF_RING working with Bro in a
>>>>>>> threaded fashion.  I have PF_RING compiled and working fine (tcpdump
>>>>>>> test
>>>>>>> works fine with Transparent mode = 2):
>>>>>>>
>>>>>>> PF_RING Version          : 6.0.2 ($Revision: exported$)
>>>>>>> Total rings              : 0
>>>>>>>
>>>>>>> Standard (non DNA) Options
>>>>>>> Ring slots               : 4096
>>>>>>> Slot version             : 16
>>>>>>> Capture TX               : No [RX only]
>>>>>>> IP Defragment            : No
>>>>>>> Socket Mode              : Standard
>>>>>>> Transparent mode         : No [mode 2]
>>>>>>> Total plugins            : 0
>>>>>>> Cluster Fragment Queue   : 0
>>>>>>> Cluster Fragment Discard : 0
>>>>>>>
>>>>>>> Bro is version 2.3 (sha1 - 79397be0e351165d44047b044d29b5e6580532cc
>>>>>>> bro-2.3.tar.gz)
>>>>>>> OS is CentOS 6.4 running 2.6.32-358.11.1.el6.x86_64
>>>>>>>
>>>>>>> When I try and configure against my PF_RING libraries, I get this:
>>>>>>>
>>>>>>> ./configure --with-pcap=/opt/pfring
>>>>>>> Build Directory : build
>>>>>>> Source Directory: /root/src/bro-2.3
>>>>>>> -- The C compiler identification is GNU
>>>>>>> -- The CXX compiler identification is GNU
>>>>>>> -- Check for working C compiler: /usr/bin/gcc
>>>>>>> -- Check for working C compiler: /usr/bin/gcc -- works
>>>>>>> -- Detecting C compiler ABI info
>>>>>>> -- Detecting C compiler ABI info - done
>>>>>>> -- Check for working CXX compiler: /usr/bin/c++
>>>>>>> -- Check for working CXX compiler: /usr/bin/c++ -- works
>>>>>>> -- Detecting CXX compiler ABI info
>>>>>>> -- Detecting CXX compiler ABI info - done
>>>>>>> -- Found sed: /bin/sed
>>>>>>> -- Found Perl: /usr/bin/perl
>>>>>>> -- Found FLEX: 2.5.35
>>>>>>> -- Found BISON: /usr/bin/bison
>>>>>>> -- Found PCAP: /opt/pfring/lib/libpcap.so
>>>>>>> -- Performing Test PCAP_LINKS_SOLO
>>>>>>> -- Performing Test PCAP_LINKS_SOLO - Failed
>>>>>>> -- Looking for include files CMAKE_HAVE_PTHREAD_H
>>>>>>> -- Looking for include files CMAKE_HAVE_PTHREAD_H - found
>>>>>>> -- Looking for pthread_create in pthreads
>>>>>>> -- Looking for pthread_create in pthreads - not found
>>>>>>> -- Looking for pthread_create in pthread
>>>>>>> -- Looking for pthread_create in pthread - found
>>>>>>> -- Found Threads: TRUE
>>>>>>> -- Performing Test PCAP_NEEDS_THREADS
>>>>>>> -- Performing Test PCAP_NEEDS_THREADS - Failed
>>>>>>> CMake Error at cmake/FindPCAP.cmake:61 (message):
>>>>>>>    Couldn't determine how to link against libpcap
>>>>>>> Call Stack (most recent call first):
>>>>>>>    cmake/FindRequiredPackage.cmake:26 (find_package)
>>>>>>>    CMakeLists.txt:52 (FindRequiredPackage)
>>>>>>>
>>>>>>>
>>>>>>> -- Configuring incomplete, errors occurred!
>>>>>>>
>>>>>>> I'm banging my head against this, but I believe this is because bro
>>>>>>> can't
>>>>>>> find the threading library to link to.  Could someone point me in
>>>>>>> the
>>>>>>> right
>>>>>>> direction?  Do I need other threading libraries? Static linking?
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> JB
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Bro mailing list
>>>>>>> bro at bro-ids.org
>>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Doug Burks
>>>>>> Need Security Onion Training or Commercial Support?
>>>>>> http://securityonionsolutions.com
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Doug Burks
>>> Need Security Onion Training or Commercial Support?
>>> http://securityonionsolutions.com
>>
>>
>
>
>



More information about the Bro mailing list