[Bro] Fwd: Configure error linking libpcap and pthread

Joe Blow blackhole.em at gmail.com
Fri Aug 29 08:31:30 PDT 2014 

It sure is.  Here is what it's telling me from the proc fs:

# cat /proc/net/pf_ring/53559-eth3.103
Bound Device(s)    : eth3
Active             : 1
Breed              : Non-DNA
Sampling Rate      : 1
Capture Direction  : RX+TX
Socket Mode        : RX+TX
Appl. Name         : <unknown>
IP Defragment      : No
BPF Filtering      : Enabled
# Sw Filt. Rules   : 0
# Hw Filt. Rules   : 0
Poll Pkt Watermark : 1
Num Poll Calls     : 1
Channel Id Mask    : 0xFFFFFFFF
Cluster Id         : 0
Slot Version       : 16 [6.0.2]
Min Num Slots      : 32768
Bucket Len         : 8192
Slot Len           : 8232 [bucket+header]
Tot Memory         : 269758464
Tot Packets        : 220334266
Tot Pkt Lost       : 74243221
Tot Insert         : 146091045
Tot Read           : 145749734
Insert Offset      : 136479200
Remove Offset      : 136550784
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0
Num Free Slots     : 0


This is where i'm seeing tons of the packet loss.  I've got snort running
with PF_RING on the same box with 8 threads, 0 packet loss.  Any ideas?

Cheers,

JB


On Fri, Aug 29, 2014 at 10:58 AM, Doug Burks <doug.burks at gmail.com> wrote:

> It's possible that Bro is not actually using PF_RING and is actually
> falling back to standard libpcap.  Have you checked /proc/net/pf_ring/
> to see if there is evidence of Bro using PF_RING?
>
> On Fri, Aug 29, 2014 at 10:53 AM, Joe Blow <blackhole.em at gmail.com> wrote:
> > So i've gone and recompiled with PF_RING 6.  I have everything working
> and
> > using PF_RING correctly, but i'm still seeing packet loss (around 25% on
> a
> > 400-450mb/s link).   I was only ever able to get Bro working with
> > "Transparent mode = 0" and not 2 or 1.  I might be doing something
> > completely wrong, but whenever i start BRO, i only ever see one thread
> > peaking at 100%. Here is my node configuration:
> >
> > [worker-0]
> > type=worker
> > host=10.10.10.10
> > interface=eth3
> > lb_method=pf_ring
> > lb_procs=12
> >
> > Any ideas as to why i'm only getting one thread seeing the bro traffic?
> > Excuse my ignorance.
> >
> > Cheers,
> >
> > JB
> >
> >
> > On Thu, Aug 28, 2014 at 7:06 PM, Joe Blow <blackhole.em at gmail.com>
> wrote:
> >>
> >> Doug Burks was quick to point out that i didn't export LIBS or LDFLAGS.
> >>
> >> I would have NEVER guessed this... thanks a thousand times over for this
> >> tidbit.  Configure finished just fine.  Making now.  Will update once
> i've
> >> got it up and load balanced.
> >>
> >> <code>
> >>
> >> export LDFLAGS="-Wl,--no-as-needed -lrt"
> >>
> >> export LIBS="-lrt -lnuma"
> >>
> >> </code>
> >>
> >> Cheers,
> >>
> >> JB
> >>
> >>
> >> On Thu, Aug 28, 2014 at 6:52 PM, Doug Burks <doug.burks at gmail.com>
> wrote:
> >>>
> >>> Hi Joe,
> >>>
> >>> When I packaged Bro 2.3 and PF_RING 6.0.2, I had to do the following:
> >>>
> >>> export LDFLAGS := $(LDFLAGS) -Wl,--no-as-needed -lrt
> >>> export LIBS := $(LIBS) -lrt -lnuma
> >>>
> >>> Depending on your configuration, you may also need to include
> >>> -lpthread in your LIBS.
> >>>
> >>> On Thu, Aug 28, 2014 at 5:52 PM, Joe Blow <blackhole.em at gmail.com>
> wrote:
> >>> > Hey all,
> >>> >
> >>> > I'm having a really tough time getting PF_RING working with Bro in a
> >>> > threaded fashion.  I have PF_RING compiled and working fine (tcpdump
> >>> > test
> >>> > works fine with Transparent mode = 2):
> >>> >
> >>> > PF_RING Version          : 6.0.2 ($Revision: exported$)
> >>> > Total rings              : 0
> >>> >
> >>> > Standard (non DNA) Options
> >>> > Ring slots               : 4096
> >>> > Slot version             : 16
> >>> > Capture TX               : No [RX only]
> >>> > IP Defragment            : No
> >>> > Socket Mode              : Standard
> >>> > Transparent mode         : No [mode 2]
> >>> > Total plugins            : 0
> >>> > Cluster Fragment Queue   : 0
> >>> > Cluster Fragment Discard : 0
> >>> >
> >>> > Bro is version 2.3 (sha1 - 79397be0e351165d44047b044d29b5e6580532cc
> >>> > bro-2.3.tar.gz)
> >>> > OS is CentOS 6.4 running 2.6.32-358.11.1.el6.x86_64
> >>> >
> >>> > When I try and configure against my PF_RING libraries, I get this:
> >>> >
> >>> > ./configure --with-pcap=/opt/pfring
> >>> > Build Directory : build
> >>> > Source Directory: /root/src/bro-2.3
> >>> > -- The C compiler identification is GNU
> >>> > -- The CXX compiler identification is GNU
> >>> > -- Check for working C compiler: /usr/bin/gcc
> >>> > -- Check for working C compiler: /usr/bin/gcc -- works
> >>> > -- Detecting C compiler ABI info
> >>> > -- Detecting C compiler ABI info - done
> >>> > -- Check for working CXX compiler: /usr/bin/c++
> >>> > -- Check for working CXX compiler: /usr/bin/c++ -- works
> >>> > -- Detecting CXX compiler ABI info
> >>> > -- Detecting CXX compiler ABI info - done
> >>> > -- Found sed: /bin/sed
> >>> > -- Found Perl: /usr/bin/perl
> >>> > -- Found FLEX: 2.5.35
> >>> > -- Found BISON: /usr/bin/bison
> >>> > -- Found PCAP: /opt/pfring/lib/libpcap.so
> >>> > -- Performing Test PCAP_LINKS_SOLO
> >>> > -- Performing Test PCAP_LINKS_SOLO - Failed
> >>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H
> >>> > -- Looking for include files CMAKE_HAVE_PTHREAD_H - found
> >>> > -- Looking for pthread_create in pthreads
> >>> > -- Looking for pthread_create in pthreads - not found
> >>> > -- Looking for pthread_create in pthread
> >>> > -- Looking for pthread_create in pthread - found
> >>> > -- Found Threads: TRUE
> >>> > -- Performing Test PCAP_NEEDS_THREADS
> >>> > -- Performing Test PCAP_NEEDS_THREADS - Failed
> >>> > CMake Error at cmake/FindPCAP.cmake:61 (message):
> >>> >   Couldn't determine how to link against libpcap
> >>> > Call Stack (most recent call first):
> >>> >   cmake/FindRequiredPackage.cmake:26 (find_package)
> >>> >   CMakeLists.txt:52 (FindRequiredPackage)
> >>> >
> >>> >
> >>> > -- Configuring incomplete, errors occurred!
> >>> >
> >>> > I'm banging my head against this, but I believe this is because bro
> >>> > can't
> >>> > find the threading library to link to.  Could someone point me in the
> >>> > right
> >>> > direction?  Do I need other threading libraries? Static linking?
> >>> >
> >>> > Cheers,
> >>> >
> >>> > JB
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > Bro mailing list
> >>> > bro at bro-ids.org
> >>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>>
> >>>
> >>>
> >>> --
> >>> Doug Burks
> >>> Need Security Onion Training or Commercial Support?
> >>> http://securityonionsolutions.com
> >>
> >>
> >
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140829/97aeb0c9/attachment.html

More information about the Bro mailing list