[Bro] Confused about bro pf_ring support
William Jones
jones at tacc.utexas.edu
Wed May 8 12:36:35 PDT 2013
I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg:
[worker-1]
type=worker
host=ids.tacc.utexas.edu.
interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
lb_method=pf_ring
lb_procs=4
When a look at the conn.log file if find the following entries like the following:
1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 129.114.62.11 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1
1368039512.362164 lSJB3FANh21 128.83.144.198 40873 129.114.62.11 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3
I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.
I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.
Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config?
Bill Jnes
More information about the Bro
mailing list