[Bro] Troubleshooting crashes

Tritium Cat tritium.cat at gmail.com
Tue Sep 25 04:03:19 PDT 2012 

On Thu, Sep 20, 2012 at 11:30 AM, Seth Hall <seth at icir.org> wrote:

>
> Arg!  You're right, I didn't read through that code closely enough.  I
> guess we're stuck in a position still where can't configure that since they
> haven't exposed it through their libpcap wrappers yet.  I'll try and bring
> that up with them soon.
>
> Daniel, you can either just delete that branch or wait until we have more
> configurability and make the correct modification then.
>

The PF_RING issue has been fixed and the API now allows selecting cluster
mode via API (with environment variables).

http://www.mail-archive.com/ntop-misc@listgateway.unipi.it/msg02972.html


I made the following patch for Bro.  To set the cluster mode from
broctl.cnf, set "PFRINGClusterType" to one of the following:

 - "2tuple"
 - "4tuple"
 - "5tupletcp"
 - "5tuple"

If PFRINGClusterType is not defined then the default will be
"cluster_per_flow", which is essentially 5-tuple unless the 802.1Q header
is present.

/tc


--- ../bro-2012-09-22/aux/broctl/BroControl/plugins/lb_pf_ring.py
2012-09-22 08:43:01.000000000 +0000
+++ aux/broctl/BroControl/plugins/lb_pf_ring.py 2012-09-25
10:48:54.000000000 +0000
@@ -21,5 +21,19 @@

             if nn.lb_method == "pf_ring":
                 if BroControl.config.Config.pfringclusterid != "0":
-                    nn.env_vars += ["PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1"]
-                    nn.env_vars += ["PCAP_PF_RING_CLUSTER_ID=%s" %
BroControl.config.Config.pfringclusterid]
+                    if BroControl.config.Config.pfringclustertype ==
"2tuple":
+                        nn.env_vars +=
["PCAP_PF_RING_USE_CLUSTER_PER_FLOW_2_TUPLE=1"]
+                        nn.env_vars += ["PCAP_PF_RING_CLUSTER_ID=%s" %
BroControl.config.Config.pfringclusterid]
+                    elif BroControl.config.Config.pfringclustertype ==
"4tuple":
+                        nn.env_vars +=
["PCAP_PF_RING_USE_CLUSTER_PER_FLOW_4_TUPLE=1"]
+                        nn.env_vars += ["PCAP_PF_RING_CLUSTER_ID=%s" %
BroControl.config.Config.pfringclusterid]
+                    elif BroControl.config.Config.pfringclustertype ==
"5tupletcp":
+                        nn.env_vars +=
["PCAP_PF_RING_USE_CLUSTER_PER_FLOW_TCP_5_TUPLE=1"]
+                        nn.env_vars += ["PCAP_PF_RING_CLUSTER_ID=%s" %
BroControl.config.Config.pfringclusterid]
+                    elif BroControl.config.Config.pfringclustertype ==
"5tuple":
+                        nn.env_vars +=
["PCAP_PF_RING_USE_CLUSTER_PER_FLOW_5_TUPLE=1"]
+                        nn.env_vars += ["PCAP_PF_RING_CLUSTER_ID=%s" %
BroControl.config.Config.pfringclusterid]
+                    else:
+                        nn.env_vars +=
["PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1"]
+                        nn.env_vars += ["PCAP_PF_RING_CLUSTER_ID=%s" %
BroControl.config.Config.pfringclusterid]
+
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120925/c654c948/attachment.html

More information about the Bro mailing list