[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

Michal Purzynski (JIRA) jira at bro-tracker.atlassian.net
Wed Sep 9 19:37:00 PDT 2015 

    [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22014#comment-22014 ] 

Michal Purzynski commented on BIT-1363:
---------------------------------------

And I have just tested kernel 3.16 with Bro from git and a configuration like this

/opt/bro/etc/local-eth0.bro

redef Pcap::bufsize = 256;
redef Pcap::packet_fanout_enable = T;
redef Pcap::packet_fanout_id = 9001;
redef Pcap::packet_fanout_defrag = T;

[nsm-stage1-manager]
type=manager
host=localhost

[nsm-stage1-proxy1]
type=proxy
host=localhost
[nsm-stage1-proxy2]
type=proxy
host=localhost

[opsecnatprod1-eth0-0]
type=worker
host=localhost
interface=eth0
aux_scripts=/opt/bro/etc/local-eth0.bro
[opsecnatprod1-eth0-1]
type=worker
host=localhost
interface=eth0
aux_scripts=/opt/bro/etc/local-eth0.bro
[opsecnatprod1-eth0-2]
type=worker
host=localhost
interface=eth0
aux_scripts=/opt/bro/etc/local-eth0.bro
[opsecnatprod1-eth0-3]
type=worker
host=localhost
interface=eth0
aux_scripts=/opt/bro/etc/local-eth0.bro

And packets from the same connection are sent to different workers. WTH.

eth0 is the interface that accepts and sends traffic out - it is a NAT instance in AWS if that matters.

> Clustered AF_PACKET support
> ---------------------------
>
>                 Key: BIT-1363
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Michal Purzynski
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-04-018#70102)

More information about the bro-dev mailing list