[Bro] Duplicate Entries - using PF_RING

Azoff, Justin S jazoff at illinois.edu
Thu Aug 25 15:06:23 PDT 2016


> On Aug 25, 2016, at 5:47 PM, John Bradley <jeb446 at msstate.edu> wrote:
> 
> # Bound Sockets:   0

Bro is not using pf_ring.

This is what it looks like when bro is using pf_ring:

[root at nids-dev3 ~]# ldd `which bro`|grep pcap
        libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f91abc5a000)


[root at nids-dev3 ~]# cat /proc/net/pf_ring/dev/p1p1/info
Name:              p1p1
Index:             4
Address:           A0:36:9F:27:4C:48
Polling Mode:      NAPI
Type:              Ethernet
Family:            Standard NIC
# Bound Sockets:   7
Max # TX Queues:   32
# Used RX Queues:  32

[root at nids-dev3 ~]# grep App /proc/net/pf_ring/*p1p1*
/proc/net/pf_ring/32471-p1p1.7619:Appl. Name         : bro-p1p1
/proc/net/pf_ring/32506-p1p1.7620:Appl. Name         : bro-p1p1
/proc/net/pf_ring/32523-p1p1.7623:Appl. Name         : bro-p1p1
/proc/net/pf_ring/32535-p1p1.7622:Appl. Name         : bro-p1p1
/proc/net/pf_ring/32537-p1p1.7624:Appl. Name         : bro-p1p1
/proc/net/pf_ring/32548-p1p1.7614:Appl. Name         : bro-p1p1
/proc/net/pf_ring/32563-p1p1.7616:Appl. Name         : bro-p1p1

[root at bro-dev bro]# tail etc/node.cfg
[nids-dev3a]
type=worker
interface=p1p1
lb_method=pf_ring
lb_procs=7
pin_cpus=2,3,4,5,6,7,8
...

-- 
- Justin Azoff




More information about the Bro mailing list