[Bro] Bro PF RING

Azoff, Justin S jazoff at illinois.edu
Tue Sep 22 13:23:03 PDT 2015


> On Sep 22, 2015, at 4:10 PM, Davison, Charles Robert <cdaviso1 at vols.utk.edu> wrote:
> 
> I am following the instructions on bro.org for the PF_Ring install and have completed the below steps so far. I have a question about the next few steps:

Looking good so far :-)

> How do i complete this?
> ...Refer to the documentation for your Linux distribution on how to load the pf_ring module at boot time.

For ubuntu this should work, place

modprobe pf_ring enable_tx_capture=0

in /etc/modules-load.d/pfring.conf

> Does this basically mean i need to use the steps below on all worker nodes?
> ...You will need to install the PF_RING library files and kernel module on all of the workers in your cluster. 

Yes.  If your manager does not have a capture interface you can skip the kernel steps on that machine, but you need to install all of the components on the workers.

> I already downloaded bro and installed /configured it.... is there a way to reconfigure bro without performing the below steps.
> 	• Download the Bro source code. 


You will need to configure bro using

./configure --with-pcap=/opt/pfring

in order for it to link against pf_ring.

> 	• Configure and install Bro using the following commands:
> Steps Completed Thus Far on Ubuntu 14.04 LTS
> cd /usr/src
> sudo wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.0.3.tar.gz
> sudo tar zxvf PF_RING-6.0.3.tar.gz
> cd PF_RING-6.0.3/userland/lib
> ./configure --prefix=/opt/pfring
> make
> sudo make install
>  
> cd ../libpcap
> ./configure --prefix=/opt/pfring
> make
> sudo make install
>  
> cd ../tcpdump-4.1.1
> ./configure --prefix=/opt/pfring
> make
> sudo make install
>  
> cd ../../kernel
> make
> sudo make install
>  
> sudo modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
> 
> 


-- 
- Justin Azoff






More information about the Bro mailing list