[Bro] zbalance_ipc with multiple applications and Bro
apumphrey at ivsec.com
Wed Feb 11 08:31:29 PST 2015
You probably need to take a look at the PFRINGFirstAppInstance in broctl.cfg, it defaults to 0. If you’re looking to use the second app instance created by zbalance_ipc you’ll need to set that option to 4.
Also make sure the lb_method and lb_procs are set appropriately in node.cfg file, for example:
lb_procs=4 # should be equivalent to the number of instances per ‘ring'
If you really want to use zero-copy you need to add the prefix “zc:” to the physical interface name; e.g. zbalance_ipc -i zc:eth5. There are other pre-req’s for that to work, like configuring huge memory pages and installing the pf_ring-aware ZC driver.
I’ve been testing with ZC also but having issues with Bro reporting increased packet loss rates as soon I enable a configuration like this. Not sure if this is a hashing mode conflict, NIC/driver configuration issue or what.. I’d be interested to hear about your (or anyone else’s) results with such a setup.
> On Feb 11, 2015, at 10:14 AM, Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
> I'm trying to start Bro and Suricata on one sensor, using the pf_ring
> ZC, like this
> zbalance_ipc -i eth5 -c 99 -n 4,4 -m 1
> where 99 is the cluster ID and -n <num>,<num> creates separate rings
> for each application. So far so good.
> I should tell Bro to somehow bind to the zc:99 at 4, zc:99 at 5, zc:99 at 6,
> zc:99 at 7 interfaces. How can I do it?
> Using zc:99 at 4 (AKA base, and let it increment automatically) does not work
> fatal error: /opt/bro/bin/bro: problem with interface zc:99 at 4 -
> pcap_open_live: zc:99 at 4: No such device exists (SIOCGIFHWADDR: No such
> Same for just zc:99 and not a surprise, Bro somehow needs to open
> sub-interfaces 4-7.
> Is it even supported?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro