[Bro] Confused about bro pf_ring support

William Jones jones at tacc.utexas.edu
Wed May 8 13:47:32 PDT 2013


I change my  interface line to mach yours.  Now I don’t see any pf_ring entries that indecat that pf_ring is active in /proc/net/pf_ring/

I should see entry like the following for each open device: 8115-p1p1.667.9.


Could you check your system /proc/net/pf_ring and see you are really using pf_ring.

From: Jesse Bowling [mailto:jessebowling at gmail.com]
Sent: Wednesday, May 08, 2013 2:46 PM
To: William Jones
Cc: bro at bro.org
Subject: Re: [Bro] Confused about bro pf_ring support

Hi Bill,
I configured my PF_RING enabled workers like:

[worker-1]
type=worker
host=10.10.10.10
interface=p2p1\;p2p2\;p2p3\;p2p4
lb_method=pf_ring
lb_procs=8

...I also had to make a change I referenced on-list:
***********************
So while this apparently fixes my issue:
--- control.py  2013-02-13 12:08:00.514656601 -0500
+++ control_mod.py      2013-02-13 12:09:38.382663593 -0500
@@ -808,7 +808,7 @@
     for (addr, interface) in hosts.keys():
         node = hosts[addr, interface]

-        capstats = [config.Config.capstatspath, "-i", interface, "-I", str(interval), "-n", "1"]
+        capstats = [config.Config.capstatspath, "-i", '"' + interface + '"', "-I", str(interval), "-n", "1"]

 # Unfinished feature: only consider a particular MAC. Works here for capstats
 # but Bro config is not adapted currently so we disable it for now.

I cannot speak to how this might affect others, the system in general, or where else this issue might crop up. I suspect that anywhere that involves bash + interface names is likely to suffer unexpected results due to this PF_RING style invocation...
***********************
I'm not sure if that has been changed in the main distro however...Might be best to double check that file if you find your broctl cron jobs failing... :)

Cheers,

Jesse

On Wed, May 8, 2013 at 3:36 PM, William Jones <jones at tacc.utexas.edu<mailto:jones at tacc.utexas.edu>> wrote:
I just tried pf ring with the lasts bro.    The following is the worker node entry in node.cfg:

[worker-1]
type=worker
host=ids.tacc.utexas.edu<http://ids.tacc.utexas.edu>.
interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
lb_method=pf_ring
lb_procs=4


When a look at the conn.log file if find the following entries like the following:

1368039512.116220       hla3Z6U8RRb     128.83.144.198  40873   129.114.62.11   22      tcp     -       0.097901        0       96 OTH      F       0       dA      1       40      1       88      (empty) worker-1-1
1368039512.362164       lSJB3FANh21     128.83.144.198  40873   129.114.62.11   22      tcp     -       0.002922        48      0  OTH      F       0       DA      2       128     0       0       (empty) worker-1-3

I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.

I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.

Is there anyone elese using taps with pf_ring.   If so do you see anything wrong with my config?


Bill Jnes

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130508/903d9505/attachment.html 


More information about the Bro mailing list