[Bro] Using native PF_RING plugin with broctl
mabuchan at gmail.com
Tue Feb 28 07:10:13 PST 2017
Sorry, Seth, I didn't send this to all and should have. Here was the email
that Seth was referring to.
I'll have to check later, but I was able to make the plugin work with some
source mods, I think. I think I tested and was unable to get it to work
natively using the broctl.conf changes that I sent to the list a few
I know there was some glitch that didn't make it work out of the box, but I
was able to modify the plugin and get it to work - just don't have that
code where I am now.
Ok - found the edits I made. Here are the diffs - however I have commented
out the second (and most necessary piece of code):
> char app_name = "bro";
> if ( pfring_set_application_name(pd, app_name) != 0 )
> Error(errno ? strerror(errno) : "unable to set app name");
> /* Set default cluster type */
> /* u_int clusterId = 1;
> cluster_type cluster_hash_type = cluster_per_flow_5_tuple;
> if ( pfring_set_cluster(pd, clusterId, cluster_hash_type) != 0 )
> Error(errno ? strerror(errno) : "unable to set cluster
> pd = NULL;
The issue related back to not having the cluster hash set and I believe it
wouldn't fire. Additionally the first snippet of code sets the app name,
so when you cat /proc/net/pf_ring/<pid>.* you get "bro" out of it.
To note, I'm not a coder, so I'm happy I made it this far. There was some
question if the cluster_type was necessary if you had the broctl.conf items
in the the file - but I can't remember the outcome of the test (but I
believe the comment out I have of the cluster type was me testing it.
Does that help? I know I was able to get the module to work, but I think I
had to include the above items to make it work. Additionally, there was
some glitch that omited the PFRINGClusterID from teh broctl.conf due to a
FreeBSD bug that said if PF_RING isn't needed, don't put that in there.
On Tue, Feb 28, 2017 at 8:17 AM, Seth Hall <seth at icir.org> wrote:
> > On Feb 27, 2017, at 5:54 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> > When I configured and installed bro from source, I did:
> > $./configure --prefix=/usr/local/bro/2.5 --with-pcap=/usr/local/pfring/
> Yep, you are using the libpcap wrapper here, which is currently the only
> way to do clustered load balancing with PF_Ring unless you do that tiny
> change that Mark pointed out a minute ago. To get that more tightly
> integrated and configurable with broctl would take a bit more work, but as
> a hack that tiny change would work.
> You can tell in your node.cfg if you are using the libpcap wrapper or the
> plugin by the interface name. If you have use an interface name like:
> pf_ring::eth1, then you are using the plugin and load balancing won't
> work. If you are just using an interface name like eth1 and
> lb_method=pf_ring, then you will be using the libpcap wrapper.
> When the pf_ring developers contributed the pf_ring plugin, it seems that
> they didn't do full integration with the deployment method.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro