[Bro] Using native PF_RING plugin with broctl
remi.jullian at ssi.gouv.fr
Tue Feb 28 01:31:18 PST 2017
>> On Feb 27, 2017, at 2:47 PM, Seth Hall <seth at icir.org> wrote:
>>> On Feb 27, 2017, at 2:19 PM, Gary Faulkner <gfaulkner.nsm at gmail.com> wrote:
>>> When you built Bro did you also configure/make/make install the pf_ring
>>> plugin? My recollection is that the plugins are not automatically built
>>> when you build bro. They should be in the
>>> <path-to-bro-source>/aux/plugins/ in the source tree. They typically
>>> install into <path-to-bro>/lib/bro/plugins/.
>> Are there people out there that are using the pf_ring plugin to successfully load balance traffic? I just checked the source to that plugin and I don't see where it sets up a load balanced ring. (I haven't worked on this plugin at all)
> I can see from this thread that a number of people think they are using the plugin, but are not actually using it.
> interface = eth0 # pf_ring libpcap wrapper
> interface = pf_ring::eth0 # native bro pf_ring plugin
Indeed, this is what I try to underline with this thread, I also believe
there is a glitch with the native PF_RING plugin.
I think that the example pointed by James Lay is using PF_RING through
the libpcap, but NOT with the native plugin. It can be proved by
breaking within Source.cc:192, the PcapSource::ExtractNextPacket() and
the underlaying pcap_next() function, should never be called, if the
plugin is properly used.
I would suggest using a libpcap compiled without PF_RING support, to
avoid confusion. This is actually how I test the plugin.
More information about the Bro