[Bro] Fwd: Configure error linking libpcap and pthread
Joe Blow
blackhole.em at gmail.com
Fri Aug 29 08:31:30 PDT 2014
It sure is. Here is what it's telling me from the proc fs:
# cat /proc/net/pf_ring/53559-eth3.103
Bound Device(s) : eth3
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX+TX
Socket Mode : RX+TX
Appl. Name : <unknown>
IP Defragment : No
BPF Filtering : Enabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0
Poll Pkt Watermark : 1
Num Poll Calls : 1
Channel Id Mask : 0xFFFFFFFF
Cluster Id : 0
Slot Version : 16 [6.0.2]
Min Num Slots : 32768
Bucket Len : 8192
Slot Len : 8232 [bucket+header]
Tot Memory : 269758464
Tot Packets : 220334266
Tot Pkt Lost : 74243221
Tot Insert : 146091045
Tot Read : 145749734
Insert Offset : 136479200
Remove Offset : 136550784
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Num Free Slots : 0
This is where i'm seeing tons of the packet loss. I've got snort running
with PF_RING on the same box with 8 threads, 0 packet loss. Any ideas?
Cheers,
JB
On Fri, Aug 29, 2014 at 10:58 AM, Doug Burks <doug.burks at gmail.com> wrote:
> It's possible that Bro is not actually using PF_RING and is actually
> falling back to standard libpcap. Have you checked /proc/net/pf_ring/
> to see if there is evidence of Bro using PF_RING?
>
> On Fri, Aug 29, 2014 at 10:53 AM, Joe Blow <blackhole.em at gmail.com> wrote:
> > So i've gone and recompiled with PF_RING 6. I have everything working
> and
> > using PF_RING correctly, but i'm still seeing packet loss (around 25% on
> a
> > 400-450mb/s link). I was only ever able to get Bro working with
> > "Transparent mode = 0" and not 2 or 1. I might be doing something
> > completely wrong, but whenever i start BRO, i only ever see one thread
> > peaking at 100%. Here is my node configuration:
> >
> > [worker-0]
> > type=worker
> > host=10.10.10.10
> > interface=eth3
> > lb_method=pf_ring
> > lb_procs=12
> >
> > Any ideas as to why i'm only getting one thread seeing the bro traffic?
> > Excuse my ignorance.
> >
> > Cheers,
> >
> > JB
> >
> >
> > On Thu, Aug 28, 2014 at 7:06 PM, Joe Blow <blackhole.em at gmail.com>
> wrote:
> >>
> >> Doug Burks was quick to point out that i didn't export LIBS or LDFLAGS.
> >>
> >> I would have NEVER guessed this... thanks a thousand times over for this
> >> tidbit. Configure finished just fine. Making now. Will update once
> i've
> >> got it up and load balanced.
> >>
> >> <code>
> >>
> >> export LDFLAGS="-Wl,--no-as-needed -lrt"
> >>
> >> export LIBS="-lrt -lnuma"
> >>
> >> </code>
> >>
> >> Cheers,
> >>
> >> JB
> >>
> >>
> >> On Thu, Aug 28, 2014 at 6:52 PM, Doug Burks <doug.burks at gmail.com>
> wrote:
> >>>
> >>> Hi Joe,
> >>>
> >>> When I packaged Bro 2.3 and PF_RING 6.0.2, I had to do the following:
> >>>
> >>> export LDFLAGS := $(LDFLAGS) -Wl,--no-as-needed -lrt
> >>> export LIBS := $(LIBS) -lrt -lnuma
> >>>
> >>> Depending on your configuration, you may also need to include
> >>> -lpthread in your LIBS.
> >>>
> >>> On Thu, Aug 28, 2014 at 5:52 PM, Joe Blow <blackhole.em at gmail.com>
> wrote:
> >>> > Hey all,
> >>> >
> >>> > I'm having a really tough time getting PF_RING working with Bro in a
> >>> > threaded fashion. I have PF_RING compiled and working fine (tcpdump
> >>> > test
> >>> > works fine with Transparent mode = 2):
> >>> >
> >>> > PF_RING Version : 6.0.2 ($Revision: exported$)
> >>> > Total rings : 0
> >>> >
> >>> > Standard (non DNA) Options
> >>> > Ring slots : 4096
> >>> > Slot version : 16
> >>> > Capture TX : No [RX only]
> >>> > IP Defragment : No
> >>> > Socket Mode : Standard
> >>> > Transparent mode : No [mode 2]
> >>> > Total plugins : 0
> >>> > Cluster Fragment Queue : 0
> >>> > Cluster Fragment Discard : 0
> >>> >
> >>> > Bro is version 2.3 (sha1 - 79397be0e351165d44047b044d29b5e6580532cc
> >>> > bro-2.3.tar.gz)
> >>> > OS is CentOS 6.4 running 2.6.32-358.11.1.el6.x86_64
> >>> >
> >>> > When I try and configure against my PF_RING libraries, I get this:
> >>> >
> >>> > ./configure --with-pcap=/opt/pfring
> >>> > Build Directory : build
> >>> > Source Directory: /root/src/bro-2.3
> >>> > -- The C compiler identification is GNU
> >>> > -- The CXX compiler identification is GNU
> >>> > -- Check for working C compiler: /usr/bin/gcc
> >>> > -- Check for working C compiler: /usr/bin/gcc -- works
> >>> > -- Detecting C compiler ABI info
> >>> > -- Detecting C compiler ABI info - done
> >>> > -- Check for working CXX compiler: /usr/bin/c++
> >>> > -- Check for working CXX compiler: /usr/bin/c++ -- works
> >>> > -- Detecting CXX compiler ABI info
> >>> > -- Detecting CXX compiler ABI info - done
> >>> > -- Found sed: /bin/sed
> >>> > -- Found Perl: /usr/bin/perl
> >>> > -- Found FLEX: 2.5.35
> >>> > -- Found BISON: /usr/bin/bison
> >>> > -- Found PCAP: /opt/pfring/lib/libpcap.so
> >>> > -- Performing Test PCAP_LINKS_SOLO
> >>> > -- Performing Test PCAP_LINKS_SOLO - Failed
> >>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H
> >>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H - found
> >>> > -- Looking for pthread_create in pthreads
> >>> > -- Looking for pthread_create in pthreads - not found
> >>> > -- Looking for pthread_create in pthread
> >>> > -- Looking for pthread_create in pthread - found
> >>> > -- Found Threads: TRUE
> >>> > -- Performing Test PCAP_NEEDS_THREADS
> >>> > -- Performing Test PCAP_NEEDS_THREADS - Failed
> >>> > CMake Error at cmake/FindPCAP.cmake:61 (message):
> >>> > Couldn't determine how to link against libpcap
> >>> > Call Stack (most recent call first):
> >>> > cmake/FindRequiredPackage.cmake:26 (find_package)
> >>> > CMakeLists.txt:52 (FindRequiredPackage)
> >>> >
> >>> >
> >>> > -- Configuring incomplete, errors occurred!
> >>> >
> >>> > I'm banging my head against this, but I believe this is because bro
> >>> > can't
> >>> > find the threading library to link to. Could someone point me in the
> >>> > right
> >>> > direction? Do I need other threading libraries? Static linking?
> >>> >
> >>> > Cheers,
> >>> >
> >>> > JB
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > Bro mailing list
> >>> > bro at bro-ids.org
> >>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>>
> >>>
> >>>
> >>> --
> >>> Doug Burks
> >>> Need Security Onion Training or Commercial Support?
> >>> http://securityonionsolutions.com
> >>
> >>
> >
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140829/97aeb0c9/attachment.html
More information about the Bro
mailing list