[Bro-Dev] PF_RING cluster ID

Martin Holste mcholste at gmail.com
Wed Aug 31 14:45:51 PDT 2011 

Ah, very cool!  This may work for me--I will have to play around with
it and learn the cluster setup.

Vlan interfaces often have wrong checksums on them, depending on the
setup, so you may initially have needed that and then changed
something.

On Wed, Aug 31, 2011 at 2:24 PM, William Jones <jones at tacc.utexas.edu> wrote:
> You can divide the work up by using a pcap filters and specifying a different aux script for each work node.  I have set up one node to monitor a tagged 10 GigE VLAN that I use to peer with I2, NLR and the internet using a TAP.   Each worker mentors 1/8 the traffic on the I2, NLR and Internet connections.
>
> The second node monitors traffic from a mirrored 10 GigE interface.  Each works monitors 1/4 the traffic.
>
> I haven't see any drops out of bro.
>
>
> I use the following filter:
>
> q1of8.bro:
>    redef restrict_filters += { ["q1"] = "(ip[12:4] + ip[16:4]) & 7 == 1" };
>
> q2of8.bro:
>    redef restrict_filters += { ["q1"] = "(ip[12:4] + ip[16:4]) & 7 == 2" };
> ..
> q8of8.bro:
>    redef restrict_filters += { ["q1"] = "(ip[12:4] + ip[16:4]) & 7 == 7" };
>
> Here the node file:
>
> #
> # Node configuration
> #
>
> [manager]
> type=manager
> host=homey.tacc.utexas.edu
>
> [proxy-1]
> type=proxy
> host=homey.tacc.utexas.edu
>
> [worker-1]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q0of8
>
>
> [worker-2]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q1of8
>
>
> [worker-3]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q2of8
>
>
> [worker-4]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q3of8
>
> [worker-5]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q4of8
>
> [worker-6]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q5of8
>
> [worker-7]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q6of8
>
> [worker-8]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
> aux_scripts=q7of8
>
> [worker-9]
> type=worker
> host=homey1.tacc.utexas.edu
> interface=eth3.2  -C
> aux_scripts=q1
>
> [worker-10]
> type=worker
> host=homey1.tacc.utexas.edu
> interface=eth3.2  -C
> aux_scripts=q2
>
> [worker-11]
> type=worker
> host=homey1.tacc.utexas.edu
> interface=eth3.2  -C
> aux_scripts=q3
>
> [worker-12]
> type=worker
> host=homey1.tacc.utexas.edu
> interface=eth3.2  -C
> aux_scripts=q0
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Seth Hall
> Sent: Wednesday, August 31, 2011 11:28 AM
> To: Martin Holste
> Cc: bro-dev
> Subject: Re: [Bro-Dev] PF_RING cluster ID
>
>
> On Aug 31, 2011, at 12:14 PM, Martin Holste wrote:
>
>> PF_RING's greatest feature is the ability to do per-flow clustering so
>> that many sniffers can run in parallel on their own CPU and each
>> receive a portion of the traffic which has been load-balanced.  Snort
>> and Suricata both support this, and we've come to rely on it as we
>> don't have access to hardware load balancing.  Is there a way to do
>> this in Bro?
>
> Use the cluster deployment in BroControl and assign each of the virtual interfaces to a separate worker node.  Since you're running the git master though, keep in mind that the broctl master that is currently checked out has some problems.  I'll work on merging in our fixed branch today and I'll reply again once it's updated.
>
>  .Seth
>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>

More information about the bro-dev mailing list