[Bro] RHEL7 and AF_PACKET
philosnef at gmail.com
Sun Dec 11 16:58:05 PST 2016
Also, I get very low packet loss when using AF_PACKET on 7.3, BUT, conn and
weird logs go absolutely bonkers, and long term conns are trashed because
traffic goes out one worker but back in on a different one. This is a big
issue for me, as we were going to go AF_PAcKET with suricata as well.
On Sun, Dec 11, 2016 at 7:56 PM, erik clark <philosnef at gmail.com> wrote:
> I have a bug report with RH. It is being worked on. It MAY make it into
> 7.4. The solution from RH is to use the elrepo kernel. I haven't been back
> to work yet, but I may be getting a test kernel to work with to help get
> this into the main branch earlier than 7.4. Per RH, the permanent fix isn't
> that bad, it just touches on a bunch of things at once making it
> undesireable to push into production immediately.
> On Fri, Dec 9, 2016 at 10:23 PM, Ditch, Derek <
> derek.ditch at criticalstack.com> wrote:
>> I haven’t used your tool before. That’s interesting…I tested in my ROCK
>> NSM dev VM and it failed. When I switched to the El Repo kernel it had no
>> problem. On production sensors w/ AF_PACKET I get ~ 0.06% packet loss. I’ll
>> have to dig deeper on this. Your go app fails on my production sensor too,
>> but I never had sufficient packet loss to dig into it.
>> Have you submitted an issue with Red Hat to get the fix backported? If
>> so, can you post the bug tracker number?
>> On 12/9/16, 18:02, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
>> > On Dec 9, 2016, at 5:57 PM, Ditch, Derek <
>> derek.ditch at criticalstack.com> wrote:
>> > To be clear, AF_PACKET on RHEL7 and CentOS7 work extremely well w/
>> Bro 2.5 and the af_packet plugin. It will not, however, work under RHEL 6
>> because it uses the 2.x kernel.
>> Is this with a single worker or multiple workers?
>> A single worker would work fine, but as far as I can tell hash based
>> fanout is broken.
>> If bro is working for you, any ideas why
>> https://github.com/JustinAzoff/can-i-use-afpacket-fanout/ fails to run
>> properly on Centos 7?
>> - Justin Azoff
>> The information contained in this e-mail is confidential and/or
>> proprietary to Capital One and/or its affiliates and may only be used
>> solely in performance of work or services for Capital One. The information
>> transmitted herewith is intended only for use by the individual or entity
>> to which it is addressed. If the reader of this message is not the intended
>> recipient, you are hereby notified that any review, retransmission,
>> dissemination, distribution, copying or other use of, or taking of any
>> action in reliance upon this information is strictly prohibited. If you
>> have received this communication in error, please contact the sender and
>> delete the material from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro