[Bro] Bro and PF_RING Cluster ID
William Jones
jones at tacc.utexas.edu
Thu Aug 2 12:47:31 PDT 2012
It is not necessary for PF_RING to use different cluster id per capture interface.
You can increase the the number of works per cluster id by changing CLUSTER_LEN linux/pf_ring.h from 8 to 16 or 32.
There seems other limitation in the number of works on host in bro whne you gove above 8 works on a hosts.
Bill Jones
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Robert Rotsted
Sent: Tuesday, July 31, 2012 5:36 PM
To: bro at bro-ids.org
Subject: [Bro] Bro and PF_RING Cluster ID
Hi all,
I'm running a clustered Bro instance with workers capturing traffic on three PF_RING enabled e1000e interfaces.
While looking in /proc/net/pf_ring/ I noticed that all of my Bro workers belong to cluster id 21. Is it possible (or desirable) in Bro to create a PF_RING cluster id per capture interface?
I read that PF_RING allows a maximum of eight workers per cluster id, is this still true?
Best,
Bob
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list