[Bro] pf_ring on RHEL/CENTOS 6?
Matt Stucky
mattchess50 at gmail.com
Wed Oct 30 08:33:31 PDT 2013
I've set up a Bro 2.1 instance with a network tap, but keep getting notice
log entries of "PacketFilter::Dropped_Packets". I'm assuming this is
because Bro is single threaded and it needs more workers to keep up with
the traffic, so I'm trying to implement pf_ring to distribute the traffic
across multiple workers. I've installed the pf_ring RPM package from ntop (
http://www.nmon.net/packages/rpm/x86_64/PF_RING/) and that gets the kernel
module loaded but seems to be lacking something still - probably linking
libpcap to pf_ring? That's what I'm not sure about. After installing
pf_ring from the RPM package and configuring Bro for multiple workers it
starts up ok but is still dropping packets (all of the workers, per the
notice log) and pf_ring doesn't appear to be used:
# cat /proc/net/pf_ring/info
PF_RING Version : 5.6.2 ($Revision: 6910$)
Total rings : 0
Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Has anyone had any success with clustered Bro with pf_ring on RHEL/CENTOS,
and did you have to compile it from source and re-compile libpcap? I'd
prefer to stick with the RPM packages since it tends to make updating less
problematic. I installed Bro 2.1 as an RPM package as well.
Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131030/98cb595f/attachment.html
More information about the Bro
mailing list