[Bro-Dev] PF_RING cluster ID
jones at tacc.utexas.edu
Wed Aug 31 13:15:50 PDT 2011
Good point about the -C. I set it because I was getting checksum errors.
I now know that the source was due to the small snap len that bro uses in combination with a standard optimization in the new 10 GiGE card that will present several continues packets as one to pcap. So 10 1500 packets could turn into one 15000 buy packet.
I patched bro server weeks ago. I forgot remove the -C parameter.
I just removed on my bro cluster are it not complaining about checksum.
I don't mind fixing my configs if you give me a more standard way to do something. When the next version coming out?
From: Seth Hall [mailto:seth at icir.org]
Sent: Wednesday, August 31, 2011 2:43 PM
To: William Jones
Cc: Martin Holste; bro-dev
Subject: Re: [Bro-Dev] PF_RING cluster ID
On Aug 31, 2011, at 3:24 PM, William Jones wrote:
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021 -C
Heh, the hack rises it's head again (including command line stuff in the 'interface' option). We really need to get multiple interface support in broctl soon. :)
I do actually have a question though, why have you included -C? Using the -C flag when running in production on live traffic is actually pretty bad to do since you leave yourself open to trivial evasion. You should be seeing valid checksums anywhere you'd be sniffing anyway, the checksum problem only happens when a host offloads the checksum calculation to the NIC and you're sniffing traffic on your local machine.
Let me know when you are ready to upgrade to the next release when we get it out too because there is an easier way to do your per-node script. I *think* that what you're currently doing should continue to work though. Thanks for documenting the filter trick for the list. :)
International Computer Science Institute
(Bro) because everyone has a network
More information about the bro-dev