[Bro] pf_ring on RHEL/CENTOS 6?

Matt Stucky mattchess50 at gmail.com
Wed Oct 30 08:33:31 PDT 2013


I've set up a Bro 2.1 instance with a network tap, but keep getting notice
log entries of "PacketFilter::Dropped_Packets".  I'm assuming this is
because Bro is single threaded and it needs more workers to keep up with
the traffic, so I'm trying to implement pf_ring to distribute the traffic
across multiple workers.  I've installed the pf_ring RPM package from ntop (
http://www.nmon.net/packages/rpm/x86_64/PF_RING/) and that gets the kernel
module loaded but seems to be lacking something still - probably linking
libpcap to pf_ring?  That's what I'm not sure about.  After installing
pf_ring from the RPM package and configuring Bro for multiple workers it
starts up ok but is still dropping packets (all of the workers, per the
notice log) and pf_ring doesn't appear to be used:

# cat /proc/net/pf_ring/info
PF_RING Version          : 5.6.2 ($Revision: 6910$)
Total rings              : 0

Standard (non DNA) Options
Ring slots               : 4096
Slot version             : 15
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

Has anyone had any success with clustered Bro with pf_ring on RHEL/CENTOS,
and did you have to compile it from source and re-compile libpcap?  I'd
prefer to stick with the RPM packages since it tends to make updating less
problematic.  I installed Bro 2.1 as an RPM package as well.

Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131030/98cb595f/attachment.html 


More information about the Bro mailing list