[Bro] Fwd: Configure error linking libpcap and pthread

Joe Blow blackhole.em at gmail.com
Fri Aug 29 07:53:20 PDT 2014 

So i've gone and recompiled with PF_RING 6.  I have everything working and
using PF_RING correctly, but i'm still seeing packet loss (around 25% on a
400-450mb/s link).   I was only ever able to get Bro working with
"Transparent mode = 0" and not 2 or 1.  I might be doing something
completely wrong, but whenever i start BRO, i only ever see one thread
peaking at 100%. Here is my node configuration:

[worker-0]
type=worker
host=10.10.10.10
interface=eth3
lb_method=pf_ring
lb_procs=12

Any ideas as to why i'm only getting one thread seeing the bro traffic?
Excuse my ignorance.

Cheers,

JB


On Thu, Aug 28, 2014 at 7:06 PM, Joe Blow <blackhole.em at gmail.com> wrote:

> Doug Burks was quick to point out that i didn't export LIBS or LDFLAGS.
>
> I would have NEVER guessed this... thanks a thousand times over for this
> tidbit.  Configure finished just fine.  Making now.  Will update once i've
> got it up and load balanced.
>
> <code>
>
> export LDFLAGS="-Wl,--no-as-needed -lrt"
>
> export LIBS="-lrt -lnuma"
> </code>
>
> Cheers,
>
> JB
>
>
> On Thu, Aug 28, 2014 at 6:52 PM, Doug Burks <doug.burks at gmail.com> wrote:
>
>> Hi Joe,
>>
>> When I packaged Bro 2.3 and PF_RING 6.0.2, I had to do the following:
>>
>> export LDFLAGS := $(LDFLAGS) -Wl,--no-as-needed -lrt
>> export LIBS := $(LIBS) -lrt -lnuma
>>
>> Depending on your configuration, you may also need to include
>> -lpthread in your LIBS.
>>
>> On Thu, Aug 28, 2014 at 5:52 PM, Joe Blow <blackhole.em at gmail.com> wrote:
>> > Hey all,
>> >
>> > I'm having a really tough time getting PF_RING working with Bro in a
>> > threaded fashion.  I have PF_RING compiled and working fine (tcpdump
>> test
>> > works fine with Transparent mode = 2):
>> >
>> > PF_RING Version          : 6.0.2 ($Revision: exported$)
>> > Total rings              : 0
>> >
>> > Standard (non DNA) Options
>> > Ring slots               : 4096
>> > Slot version             : 16
>> > Capture TX               : No [RX only]
>> > IP Defragment            : No
>> > Socket Mode              : Standard
>> > Transparent mode         : No [mode 2]
>> > Total plugins            : 0
>> > Cluster Fragment Queue   : 0
>> > Cluster Fragment Discard : 0
>> >
>> > Bro is version 2.3 (sha1 - 79397be0e351165d44047b044d29b5e6580532cc
>> > bro-2.3.tar.gz)
>> > OS is CentOS 6.4 running 2.6.32-358.11.1.el6.x86_64
>> >
>> > When I try and configure against my PF_RING libraries, I get this:
>> >
>> > ./configure --with-pcap=/opt/pfring
>> > Build Directory : build
>> > Source Directory: /root/src/bro-2.3
>> > -- The C compiler identification is GNU
>> > -- The CXX compiler identification is GNU
>> > -- Check for working C compiler: /usr/bin/gcc
>> > -- Check for working C compiler: /usr/bin/gcc -- works
>> > -- Detecting C compiler ABI info
>> > -- Detecting C compiler ABI info - done
>> > -- Check for working CXX compiler: /usr/bin/c++
>> > -- Check for working CXX compiler: /usr/bin/c++ -- works
>> > -- Detecting CXX compiler ABI info
>> > -- Detecting CXX compiler ABI info - done
>> > -- Found sed: /bin/sed
>> > -- Found Perl: /usr/bin/perl
>> > -- Found FLEX: 2.5.35
>> > -- Found BISON: /usr/bin/bison
>> > -- Found PCAP: /opt/pfring/lib/libpcap.so
>> > -- Performing Test PCAP_LINKS_SOLO
>> > -- Performing Test PCAP_LINKS_SOLO - Failed
>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H
>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H - found
>> > -- Looking for pthread_create in pthreads
>> > -- Looking for pthread_create in pthreads - not found
>> > -- Looking for pthread_create in pthread
>> > -- Looking for pthread_create in pthread - found
>> > -- Found Threads: TRUE
>> > -- Performing Test PCAP_NEEDS_THREADS
>> > -- Performing Test PCAP_NEEDS_THREADS - Failed
>> > CMake Error at cmake/FindPCAP.cmake:61 (message):
>> >   Couldn't determine how to link against libpcap
>> > Call Stack (most recent call first):
>> >   cmake/FindRequiredPackage.cmake:26 (find_package)
>> >   CMakeLists.txt:52 (FindRequiredPackage)
>> >
>> >
>> > -- Configuring incomplete, errors occurred!
>> >
>> > I'm banging my head against this, but I believe this is because bro
>> can't
>> > find the threading library to link to.  Could someone point me in the
>> right
>> > direction?  Do I need other threading libraries? Static linking?
>> >
>> > Cheers,
>> >
>> > JB
>> >
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>> --
>> Doug Burks
>> Need Security Onion Training or Commercial Support?
>> http://securityonionsolutions.com
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140829/1a0e3270/attachment.html

More information about the Bro mailing list