[Bro] Fwd: Configure error linking libpcap and pthread

Doug Burks doug.burks at gmail.com
Fri Aug 29 07:58:27 PDT 2014 

It's possible that Bro is not actually using PF_RING and is actually
falling back to standard libpcap.  Have you checked /proc/net/pf_ring/
to see if there is evidence of Bro using PF_RING?

On Fri, Aug 29, 2014 at 10:53 AM, Joe Blow <blackhole.em at gmail.com> wrote:
> So i've gone and recompiled with PF_RING 6.  I have everything working and
> using PF_RING correctly, but i'm still seeing packet loss (around 25% on a
> 400-450mb/s link).   I was only ever able to get Bro working with
> "Transparent mode = 0" and not 2 or 1.  I might be doing something
> completely wrong, but whenever i start BRO, i only ever see one thread
> peaking at 100%. Here is my node configuration:
>
> [worker-0]
> type=worker
> host=10.10.10.10
> interface=eth3
> lb_method=pf_ring
> lb_procs=12
>
> Any ideas as to why i'm only getting one thread seeing the bro traffic?
> Excuse my ignorance.
>
> Cheers,
>
> JB
>
>
> On Thu, Aug 28, 2014 at 7:06 PM, Joe Blow <blackhole.em at gmail.com> wrote:
>>
>> Doug Burks was quick to point out that i didn't export LIBS or LDFLAGS.
>>
>> I would have NEVER guessed this... thanks a thousand times over for this
>> tidbit.  Configure finished just fine.  Making now.  Will update once i've
>> got it up and load balanced.
>>
>> <code>
>>
>> export LDFLAGS="-Wl,--no-as-needed -lrt"
>>
>> export LIBS="-lrt -lnuma"
>>
>> </code>
>>
>> Cheers,
>>
>> JB
>>
>>
>> On Thu, Aug 28, 2014 at 6:52 PM, Doug Burks <doug.burks at gmail.com> wrote:
>>>
>>> Hi Joe,
>>>
>>> When I packaged Bro 2.3 and PF_RING 6.0.2, I had to do the following:
>>>
>>> export LDFLAGS := $(LDFLAGS) -Wl,--no-as-needed -lrt
>>> export LIBS := $(LIBS) -lrt -lnuma
>>>
>>> Depending on your configuration, you may also need to include
>>> -lpthread in your LIBS.
>>>
>>> On Thu, Aug 28, 2014 at 5:52 PM, Joe Blow <blackhole.em at gmail.com> wrote:
>>> > Hey all,
>>> >
>>> > I'm having a really tough time getting PF_RING working with Bro in a
>>> > threaded fashion.  I have PF_RING compiled and working fine (tcpdump
>>> > test
>>> > works fine with Transparent mode = 2):
>>> >
>>> > PF_RING Version          : 6.0.2 ($Revision: exported$)
>>> > Total rings              : 0
>>> >
>>> > Standard (non DNA) Options
>>> > Ring slots               : 4096
>>> > Slot version             : 16
>>> > Capture TX               : No [RX only]
>>> > IP Defragment            : No
>>> > Socket Mode              : Standard
>>> > Transparent mode         : No [mode 2]
>>> > Total plugins            : 0
>>> > Cluster Fragment Queue   : 0
>>> > Cluster Fragment Discard : 0
>>> >
>>> > Bro is version 2.3 (sha1 - 79397be0e351165d44047b044d29b5e6580532cc
>>> > bro-2.3.tar.gz)
>>> > OS is CentOS 6.4 running 2.6.32-358.11.1.el6.x86_64
>>> >
>>> > When I try and configure against my PF_RING libraries, I get this:
>>> >
>>> > ./configure --with-pcap=/opt/pfring
>>> > Build Directory : build
>>> > Source Directory: /root/src/bro-2.3
>>> > -- The C compiler identification is GNU
>>> > -- The CXX compiler identification is GNU
>>> > -- Check for working C compiler: /usr/bin/gcc
>>> > -- Check for working C compiler: /usr/bin/gcc -- works
>>> > -- Detecting C compiler ABI info
>>> > -- Detecting C compiler ABI info - done
>>> > -- Check for working CXX compiler: /usr/bin/c++
>>> > -- Check for working CXX compiler: /usr/bin/c++ -- works
>>> > -- Detecting CXX compiler ABI info
>>> > -- Detecting CXX compiler ABI info - done
>>> > -- Found sed: /bin/sed
>>> > -- Found Perl: /usr/bin/perl
>>> > -- Found FLEX: 2.5.35
>>> > -- Found BISON: /usr/bin/bison
>>> > -- Found PCAP: /opt/pfring/lib/libpcap.so
>>> > -- Performing Test PCAP_LINKS_SOLO
>>> > -- Performing Test PCAP_LINKS_SOLO - Failed
>>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H
>>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H - found
>>> > -- Looking for pthread_create in pthreads
>>> > -- Looking for pthread_create in pthreads - not found
>>> > -- Looking for pthread_create in pthread
>>> > -- Looking for pthread_create in pthread - found
>>> > -- Found Threads: TRUE
>>> > -- Performing Test PCAP_NEEDS_THREADS
>>> > -- Performing Test PCAP_NEEDS_THREADS - Failed
>>> > CMake Error at cmake/FindPCAP.cmake:61 (message):
>>> >   Couldn't determine how to link against libpcap
>>> > Call Stack (most recent call first):
>>> >   cmake/FindRequiredPackage.cmake:26 (find_package)
>>> >   CMakeLists.txt:52 (FindRequiredPackage)
>>> >
>>> >
>>> > -- Configuring incomplete, errors occurred!
>>> >
>>> > I'm banging my head against this, but I believe this is because bro
>>> > can't
>>> > find the threading library to link to.  Could someone point me in the
>>> > right
>>> > direction?  Do I need other threading libraries? Static linking?
>>> >
>>> > Cheers,
>>> >
>>> > JB
>>> >
>>> >
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>>
>>> --
>>> Doug Burks
>>> Need Security Onion Training or Commercial Support?
>>> http://securityonionsolutions.com
>>
>>
>



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

More information about the Bro mailing list