[Bro] zbalance_ipc with multiple applications and Bro
dj.root at netronome.com
Wed Feb 11 08:45:41 PST 2015
It may be supported, but we have tested and proven similar functionality in hardware. Our hardware and software can bind specific instances of Bro (or Suricata for that matter) onto host cores - something we call flow affinity. Furthermore, those flows are load balanced anyway the user wants them.
Example config: We compile both Bro and Suricata against our pcap libraries so that they each recognize our network interface nomenclature. In the case for “Bro”, we edit the “/usr/local/bro/etc/node.cfg" file to add the interface bindings and cpu pinning for each worker thread. See below. We then use “broctl” to start Bro processing.
Note nfe = Netronome Flow Engine
> On Feb 11, 2015, at 10:14 AM, Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
> I'm trying to start Bro and Suricata on one sensor, using the pf_ring
> ZC, like this
> zbalance_ipc -i eth5 -c 99 -n 4,4 -m 1
> where 99 is the cluster ID and -n <num>,<num> creates separate rings
> for each application. So far so good.
> I should tell Bro to somehow bind to the zc:99 at 4, zc:99 at 5, zc:99 at 6,
> zc:99 at 7 interfaces. How can I do it?
> Using zc:99 at 4 (AKA base, and let it increment automatically) does not work
> fatal error: /opt/bro/bin/bro: problem with interface zc:99 at 4 -
> pcap_open_live: zc:99 at 4: No such device exists (SIOCGIFHWADDR: No such
> Same for just zc:99 and not a surprise, Bro somehow needs to open
> sub-interfaces 4-7.
> Is it even supported?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro