[Bro] pf_ring on RHEL/CENTOS 6?

Matt Stucky mattchess50 at gmail.com
Mon Nov 4 11:09:30 PST 2013 

In case anyone is interested, I ended up installing PF_RING from source,
then rebuilding the Bro RPM with PF_RING support.  It would be nice if the
native libpcap and tcpdump already had support for PF_RING, but that's not
currently the case.  I'd rather install everything from RPMs, but having
Bro at least installed from a package should make updates a little easier.
Here are the basic steps:

Install Prerequisites

1.    Add the EPEL repo to the system but leave it disabled:
/etc/yum.repos.d/epel.repo
2.    Remove conflicting packages: libpcap, tcpdump, cmake.
3.    Install prerequisites:  mpfr cpp ppl cloog-ppl gcc kernel-devel
pcre-devel libpcap-devel yum-plugin-priorities libnet flex bison gcc-c++
swig rpm-build
4.    Install prerequisites from EPEL:  libyaml libyaml-devel cmake28
5.    Create a softlink for cmake pointing to the newer version from EPEL.

Build and Install PF_RING

1.    Download the source from
http://sourceforge.net/projects/ntop/files/PF_RING/
2.    Configure, make, and install the kernel module, libpcap, and tcpdump
3.    Create an /etc/modprobe.d/pfring.conf entry to load the kernel module
at boot
4.    Manually load the pf_ring module for now
5.    Create an ldconfig file /etc/ld.so.conf.d/pfring.conf that contains
the path to the libpcap dynamic libraries
6.    Run “ldconfig” to load the new config for now

Build the Bro RPM with PF_RING Support

1.    Download the source from http://www.bro.org/download/index.html and
unpack it with a non-root user.
2.    As that non-root user, go into the bro-2.1/pkg directory and edit the
check-cmake file so that the cmake check matches the version you have.
3.    As the non-root user edit the make-rpm-packages file and add the
--with-pcap=/usr/local/pfring (or wherever you installed PF_RING) option to
the configure lines.
4.    As the non-root user execute the make-rpm-packages script; the
packages will end up in the bro-2.1/build/  directory.

Install Bro from the newly built RPM package

It's running now with PF_RING and very few dropped packet notices.

# cat /proc/net/pf_ring/info
PF_RING Version          : 5.6.1 ($Revision: exported$)
Total rings              : 4

Standard (non DNA) Options
Ring slots               : 4096
Slot version             : 15
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 3464
Cluster Fragment Discard : 1036837

-matt

 On Wed, Oct 30, 2013 at 10:33 AM, Matt Stucky <mattchess50 at gmail.com>wrote:

> I've set up a Bro 2.1 instance with a network tap, but keep getting notice
> log entries of "PacketFilter::Dropped_Packets".  I'm assuming this is
> because Bro is single threaded and it needs more workers to keep up with
> the traffic, so I'm trying to implement pf_ring to distribute the traffic
> across multiple workers.  I've installed the pf_ring RPM package from ntop (
> http://www.nmon.net/packages/rpm/x86_64/PF_RING/) and that gets the
> kernel module loaded but seems to be lacking something still - probably
> linking libpcap to pf_ring?  That's what I'm not sure about.  After
> installing pf_ring from the RPM package and configuring Bro for multiple
> workers it starts up ok but is still dropping packets (all of the workers,
> per the notice log) and pf_ring doesn't appear to be used:
>
> # cat /proc/net/pf_ring/info
> PF_RING Version          : 5.6.2 ($Revision: 6910$)
> Total rings              : 0
>
> Standard (non DNA) Options
> Ring slots               : 4096
> Slot version             : 15
> Capture TX               : No [RX only]
> IP Defragment            : No
> Socket Mode              : Standard
> Transparent mode         : Yes [mode 0]
> Total plugins            : 0
> Cluster Fragment Queue   : 0
> Cluster Fragment Discard : 0
>
> Has anyone had any success with clustered Bro with pf_ring on RHEL/CENTOS,
> and did you have to compile it from source and re-compile libpcap?  I'd
> prefer to stick with the RPM packages since it tends to make updating less
> problematic.  I installed Bro 2.1 as an RPM package as well.
>
> Thanks,
> Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131104/5c5fc16e/attachment.html

More information about the Bro mailing list