[Bro] Using native PF_RING plugin with broctl

Mark Buchanan mabuchan at gmail.com
Tue Feb 28 07:10:13 PST 2017

Sorry, Seth, I didn't send this to all and should have.  Here was the email
that Seth was referring to.

I'll have to check later, but I was able to make the plugin work with some
source mods, I think.  I think I tested and was unable to get it to work
natively using the broctl.conf changes that I sent to the list a few
minutes ago.

I know there was some glitch that didn't make it work out of the box, but I
was able to modify the plugin and get it to work - just don't have that
code where I am now.

Ok - found the edits I made.  Here are the diffs - however I have commented
out the second (and most necessary piece of code):

diff bro-2.5*/aux/plugins/pf_ring/src/PF_RING.cc
>       char app_name[4] = "bro";
>         if ( pfring_set_application_name(pd, app_name) != 0 )
>               {
>               Error(errno ? strerror(errno) : "unable to set app name");
>               return;
>               }
>       /* Set default cluster type */
> /*    u_int clusterId = 1;
>       cluster_type cluster_hash_type = cluster_per_flow_5_tuple;
>       if ( pfring_set_cluster(pd, clusterId, cluster_hash_type) != 0 )
>               {
>               Error(errno ? strerror(errno) : "unable to set cluster
>               pfring_close(pd);
>               pd = NULL;
>               return;
>               }
>  */

The issue related back to not having the cluster hash set and I believe it
wouldn't fire.  Additionally the first snippet of code sets the app name,
so when you cat /proc/net/pf_ring/<pid>.* you get "bro" out of it.

To note, I'm not a coder, so I'm happy I made it this far.  There was some
question if the cluster_type was necessary if you had the broctl.conf items
in the the file - but I can't remember the outcome of the test (but I
believe the comment out I have of the cluster type was me testing it.

Does that help?  I know I was able to get the module to work, but I think I
had to include the above items to make it work.  Additionally, there was
some glitch that omited the PFRINGClusterID from teh broctl.conf due to a
FreeBSD bug that said if PF_RING isn't needed, don't put that in there.


On Tue, Feb 28, 2017 at 8:17 AM, Seth Hall <seth at icir.org> wrote:

> > On Feb 27, 2017, at 5:54 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > When I configured and installed bro from source, I did:
> > $./configure --prefix=/usr/local/bro/2.5 --with-pcap=/usr/local/pfring/
> 5.6.2
> Yep, you are using the libpcap wrapper here, which is currently the only
> way to do clustered load balancing with PF_Ring unless you do that tiny
> change that Mark pointed out a minute ago.  To get that more tightly
> integrated and configurable with broctl would take a bit more work, but as
> a hack that tiny change would work.
> You can tell in your node.cfg if you are using the libpcap wrapper or the
> plugin by the interface name.  If you have use an interface name like:
> pf_ring::eth1, then you are using the plugin and load balancing won't
> work.  If you are just using an interface name like eth1 and
> lb_method=pf_ring, then you will be using the libpcap wrapper.
> When the pf_ring developers contributed the pf_ring plugin, it seems that
> they didn't do full integration with the deployment method.
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170228/c2230bd3/attachment.html 

More information about the Bro mailing list