[Bro] RHEL7 and AF_PACKET
derek.ditch at criticalstack.com
Fri Dec 9 19:23:50 PST 2016
I haven’t used your tool before. That’s interesting…I tested in my ROCK NSM dev VM and it failed. When I switched to the El Repo kernel it had no problem. On production sensors w/ AF_PACKET I get ~ 0.06% packet loss. I’ll have to dig deeper on this. Your go app fails on my production sensor too, but I never had sufficient packet loss to dig into it.
Have you submitted an issue with Red Hat to get the fix backported? If so, can you post the bug tracker number?
On 12/9/16, 18:02, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
> On Dec 9, 2016, at 5:57 PM, Ditch, Derek <derek.ditch at criticalstack.com> wrote:
> To be clear, AF_PACKET on RHEL7 and CentOS7 work extremely well w/ Bro 2.5 and the af_packet plugin. It will not, however, work under RHEL 6 because it uses the 2.x kernel.
Is this with a single worker or multiple workers?
A single worker would work fine, but as far as I can tell hash based fanout is broken.
If bro is working for you, any ideas why https://github.com/JustinAzoff/can-i-use-afpacket-fanout/ fails to run properly on Centos 7?
- Justin Azoff
The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
More information about the Bro