[Bro] Confused about bro pf_ring support
William Jones
jones at tacc.utexas.edu
Wed May 8 13:47:32 PDT 2013
I change my interface line to mach yours. Now I don’t see any pf_ring entries that indecat that pf_ring is active in /proc/net/pf_ring/
I should see entry like the following for each open device: 8115-p1p1.667.9.
Could you check your system /proc/net/pf_ring and see you are really using pf_ring.
From: Jesse Bowling [mailto:jessebowling at gmail.com]
Sent: Wednesday, May 08, 2013 2:46 PM
To: William Jones
Cc: bro at bro.org
Subject: Re: [Bro] Confused about bro pf_ring support
Hi Bill,
I configured my PF_RING enabled workers like:
[worker-1]
type=worker
host=10.10.10.10
interface=p2p1\;p2p2\;p2p3\;p2p4
lb_method=pf_ring
lb_procs=8
...I also had to make a change I referenced on-list:
***********************
So while this apparently fixes my issue:
--- control.py 2013-02-13 12:08:00.514656601 -0500
+++ control_mod.py 2013-02-13 12:09:38.382663593 -0500
@@ -808,7 +808,7 @@
for (addr, interface) in hosts.keys():
node = hosts[addr, interface]
- capstats = [config.Config.capstatspath, "-i", interface, "-I", str(interval), "-n", "1"]
+ capstats = [config.Config.capstatspath, "-i", '"' + interface + '"', "-I", str(interval), "-n", "1"]
# Unfinished feature: only consider a particular MAC. Works here for capstats
# but Bro config is not adapted currently so we disable it for now.
I cannot speak to how this might affect others, the system in general, or where else this issue might crop up. I suspect that anywhere that involves bash + interface names is likely to suffer unexpected results due to this PF_RING style invocation...
***********************
I'm not sure if that has been changed in the main distro however...Might be best to double check that file if you find your broctl cron jobs failing... :)
Cheers,
Jesse
On Wed, May 8, 2013 at 3:36 PM, William Jones <jones at tacc.utexas.edu<mailto:jones at tacc.utexas.edu>> wrote:
I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg:
[worker-1]
type=worker
host=ids.tacc.utexas.edu<http://ids.tacc.utexas.edu>.
interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
lb_method=pf_ring
lb_procs=4
When a look at the conn.log file if find the following entries like the following:
1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 129.114.62.11 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1
1368039512.362164 lSJB3FANh21 128.83.144.198 40873 129.114.62.11 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3
I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.
I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.
Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config?
Bill Jnes
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130508/903d9505/attachment.html
More information about the Bro
mailing list