[Bro] Using native PF_RING plugin with broctl
remi.jullian at ssi.gouv.fr
Mon Feb 27 09:10:47 PST 2017
When I set 'interface=eth0' and 'lb_method=pf_ring', the broctl deploy
command works, bro starts, but PF_RING is not used. Indeed, all workers
receive the same packets (i.e no load-balancing is performed).
When I cat the file /proc/net/pf_ring/info, the total number of rings
used is 0. Moreover, when I put a breakpoint within Source.cc:192
(PcapSource::ExtractNextPacket), I can see the call to the libpcap
function pcap_next(), which should never be called.
> I think you just need "interface=eth0". It knows to use pf_ring because
> of the next line.
> On Mon, Feb 27, 2017, 05:14 Jullian Remi <remi.jullian at ssi.gouv.fr
> <mailto:remi.jullian at ssi.gouv.fr>> wrote:
> Hi all,
> I am trying to use Bro's PF_RING plugin with broctl, using a simple bro
> cluster on a single host.
> Here is an extract of my 'node.cfg' file:
> When I used the deploy command, I got the following error: "fatal error:
> type of packet source 'pf_ring' no recognized, or mode not supported"
> Here is the output of the deploy command:
> [BroControl] > deploy
> starting ...
> starting manager ...
> starting proxy ...
> starting worker-1
> starting worker-8
> worker-1 terminated immediately after starting; check output with "diag"
> worker-8 terminated immediately after starting; check output with "diag"
> And when running "diag":
> [BroControl] > diag
> ==== stderr.log
> fatal error: type of packet source 'pf_ring' no recognized, or mode not
> However I do not have any problem running bro as a standalone process
> with local commands such as:
> $/usr/local/bro/bin/bro -i pf_ring::eth0
> listening on eth0
> $/usr/local/bro/bin/bro -N | grep PF
> Bro::PF_RING - Packet acquisition via PF_RING (dynamic, version 1.0)
> This tends to prove Bro plugin has been installed and works.
> I think Broctl is launching Bro binary without the right settings for
> the plugin to be found/to work correctly. Am I missing something with
> configuration files ?
> May be the environment variables aren't properly set?
> Does anyone use bro's PF_RING plugin with a cluster configuration
> without issues?
> Bro mailing list
> bro at bro-ids.org <mailto:bro at bro-ids.org>
More information about the Bro