[Bro] PF_RING ZC Config
gfaulkner.nsm at gmail.com
Fri Jul 8 10:26:22 PDT 2016
Related to Dave's query, but not really an answer, sorry Dave...
It might be worth revisiting this doc and updating for ZC:
A few things have changed on the PF_RING DNA side in broctl in regards
to naming support "dnacl" instead of "dnacluster" due to problems with
name length for dnaclusters with greater than 10 queues, and with the
most recent releases of PF_RING (6.4+), DNA appears to have been removed
finally in favor of the newer ZC according to the change notes. From
what I recall reading I don't believe it is terribly different outside
of substituting ZC drivers (and tweaking huge-pages in the driver load
script) in favor of DNA, and using zbalance_ipc instead of
pfdnacluster_master. I want to say the naming in node.cfg becomes
zc:<clusterid> instead of dnacl:<clusterid>.
Also, speaking of ZC, NTOP has a blog post that might be worth taking a
look at concerning alternate ways of implementing ZC / zbalance_ipc with
bro to work around a problem that can occur when bro workers crash and
get automatically restarted.
I haven't quite made the transition to ZC from DNA yet, otherwise I'd
take a stab at submitting updated docs and trying to assist more here. I
have plans to make the switch later this summer though.
On 7/7/16 5:25 PM, Dave Crawford wrote:
> Just wanted to update the list that I quit spending cycles on this and for the time being reverted back to running our clusters with the non-commercial version of pf_ring.
> I can only comment on my experience, but I discovered there is an extreme lack of quality documentation and the "commercial support" that came with the 10 licenses was nearly non-existent.
> Lessons have been learned and when the need to expand comes we'll be looking at other commercial solutions to replace our X520's with.
>> On Jun 24, 2016, at 8:28 AM, Dave Crawford <bro at pingtrip.com> wrote:
>> Would anyone happen to have documentation for configuring ZC and Bro? I have NTop's PF_RING and ixgbe driver packages installed, the proper license in /etc/pf_ring, and have compiled Bro with the NTop libraries but I'm seeing the kernel error below along with a ton of “split routing” messages in weird.conf, so I suspect the flows aren’t being load balanced correctly.
>> Jun 22 15:10:03 win-csignsm-01 kernel: [11060.244524] [PF_RING] Unable to activate two or more ZC sockets on the same interface eth6/link direction
>> The monitored NIC is an Intel X520-LR1.
>> Contents of /etc/pf_ring/zc/ixgbe/ixgbe.conf:
>> RSS=10 allow_unsupported_sfp=0
>> Contents of /etc/pf_ring/hugepages.conf
>> node=1 hugepages=1024
>> And Bro is configured as:
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro