[Bro] bro and pf_ring zc configuration success stories

Azoff, Justin S jazoff at illinois.edu
Thu Sep 28 06:14:53 PDT 2017

> On Sep 28, 2017, at 5:52 AM, radek <radoslawc at gmail.com> wrote:
> Hi!
> Thank you for your reply.
> In 'full zerocopy' mode:
> zbalance_ipc cluster-27.conf:
> https://gist.github.com/radoslawc/afa7293fde9ba5bc9f51640d5fc63005
> node.cfg:
> https://gist.github.com/radoslawc/c7406452f01c14caa43c729c164d701b
> bro doctor output for above setup:
> https://gist.github.com/radoslawc/bb3e608dfa7ceca97378c26e98520fae

Ah.. so this is not good:

error: 99.17%, 7562 out of 7625 connections are half duplex

And this is not great either:

ok, only 0.00%, 0 out of 13 connections appear to be duplicate

It only looked at 13 connections because there were only 13 bidirectional connections in the log.

I think your problem is this:


That should not actually work with the pf_ring plugin.. in order to use the pf_ring plugin the interface needs to start with pf_ring:: I believe you need


So try that and see if that fixes everything.  If not, can you remove lb_procs and move to one worker for now to at least verify that that configuration works.

> Bro doctor states that bro binary is not linked against pfring (which is correct, as configure doesn't give this option) instead I've used pf_ring plugin from aux:
> Bro-PF_RING.linux-x86_64.so
> user at u1604:/opt/bro/lib/bro/plugins/Bro_PF_RING/lib$ ldd Bro-PF_RING.linux-x86_64.so
>         linux-vdso.so.1 =>  (0x00007ffdd37f1000)
>         libpfring.so => /usr/local/lib/libpfring.so (0x00007f85dbd5e000)
>         libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f85db9dc000)
>         libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f85db7c6000)
>         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f85db3fc000)
>         libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f85db1df000)
>         librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f85dafd7000)
>         libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f85dadd3000)
>         libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f85daaca000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007f85dc1dc000)

Ah, that is correct.  I need to have it separately check to see if bro -N lists the pf_ring plugin.

If the pf_ring::zc thing fixes things, I'll fix bro-doctor to check for that.

I think the check needs to be that if bro -N lists the pf_ring plugin, the interface MUST start with pf_ring::

The bro pf_ring plugin should probably do the same check.. I think there are a few issues with the pf_ring plugin.  I'm working on fixing one issue that causes the plugin to be broken if you are not using ZC.

> I'll rebuild bro with gperftools only, thank you for pointing that out.
> Best regard
> Rado

Justin Azoff

More information about the Bro mailing list