[Bro] Using native PF_RING plugin with broctl

Seth Hall seth at icir.org
Tue Feb 28 06:17:09 PST 2017

> On Feb 27, 2017, at 5:54 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> When I configured and installed bro from source, I did:
> $./configure --prefix=/usr/local/bro/2.5 --with-pcap=/usr/local/pfring/5.6.2

Yep, you are using the libpcap wrapper here, which is currently the only way to do clustered load balancing with PF_Ring unless you do that tiny change that Mark pointed out a minute ago.  To get that more tightly integrated and configurable with broctl would take a bit more work, but as a hack that tiny change would work.

You can tell in your node.cfg if you are using the libpcap wrapper or the plugin by the interface name.  If you have use an interface name like: pf_ring::eth1, then you are using the plugin and load balancing won't work.  If you are just using an interface name like eth1 and lb_method=pf_ring, then you will be using the libpcap wrapper.  

When the pf_ring developers contributed the pf_ring plugin, it seems that they didn't do full integration with the deployment method.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list