[Bro] Fwd: Configure error linking libpcap and pthread

Joe Blow blackhole.em at gmail.com
Fri Aug 29 12:27:57 PDT 2014


Doug - I fixed my node config up and ran those commands.  There were some
incorrect configs in the node.cfg file, which i was able to check with the
broctl config command.

Everything seems to be working stellar now.  Thanks tons for all the help
everyone!

Cheers,

JB


On Fri, Aug 29, 2014 at 3:05 PM, Daniel Thayer <dnthayer at illinois.edu>
wrote:

> Another thing to check is to search the output of "broctl config"
> for "pfringclusterid" (it must be set to a non-zero value if you
> want to use PF_RING).
>
>
>
>
> On 08/29/2014 01:49 PM, Doug Burks wrote:
>
>> Based on the following lines, it looks like Bro is running in standalone
>> mode:
>> Appl. Name         : <unknown>
>> Cluster Id         : 0
>>
>> If it were running in cluster mode, I would expect to see something
>> like the following instead:
>> Appl. Name         : bro-eth3
>> Cluster Id         : 21
>>
>> Have you double-checked your node.cfg?
>>
>> Have you tried the following?
>> sudo broctl install && sudo broctl restart
>>
>> On Fri, Aug 29, 2014 at 11:31 AM, Joe Blow <blackhole.em at gmail.com>
>> wrote:
>>
>>> It sure is.  Here is what it's telling me from the proc fs:
>>>
>>> # cat /proc/net/pf_ring/53559-eth3.103
>>> Bound Device(s)    : eth3
>>> Active             : 1
>>> Breed              : Non-DNA
>>> Sampling Rate      : 1
>>> Capture Direction  : RX+TX
>>> Socket Mode        : RX+TX
>>> Appl. Name         : <unknown>
>>> IP Defragment      : No
>>> BPF Filtering      : Enabled
>>> # Sw Filt. Rules   : 0
>>> # Hw Filt. Rules   : 0
>>> Poll Pkt Watermark : 1
>>> Num Poll Calls     : 1
>>> Channel Id Mask    : 0xFFFFFFFF
>>> Cluster Id         : 0
>>> Slot Version       : 16 [6.0.2]
>>> Min Num Slots      : 32768
>>> Bucket Len         : 8192
>>> Slot Len           : 8232 [bucket+header]
>>> Tot Memory         : 269758464
>>> Tot Packets        : 220334266
>>> Tot Pkt Lost       : 74243221
>>> Tot Insert         : 146091045
>>> Tot Read           : 145749734
>>> Insert Offset      : 136479200
>>> Remove Offset      : 136550784
>>> TX: Send Ok        : 0
>>> TX: Send Errors    : 0
>>> Reflect: Fwd Ok    : 0
>>> Reflect: Fwd Errors: 0
>>> Num Free Slots     : 0
>>>
>>>
>>> This is where i'm seeing tons of the packet loss.  I've got snort running
>>> with PF_RING on the same box with 8 threads, 0 packet loss.  Any ideas?
>>>
>>> Cheers,
>>>
>>> JB
>>>
>>>
>>> On Fri, Aug 29, 2014 at 10:58 AM, Doug Burks <doug.burks at gmail.com>
>>> wrote:
>>>
>>>>
>>>> It's possible that Bro is not actually using PF_RING and is actually
>>>> falling back to standard libpcap.  Have you checked /proc/net/pf_ring/
>>>> to see if there is evidence of Bro using PF_RING?
>>>>
>>>> On Fri, Aug 29, 2014 at 10:53 AM, Joe Blow <blackhole.em at gmail.com>
>>>> wrote:
>>>>
>>>>> So i've gone and recompiled with PF_RING 6.  I have everything working
>>>>> and
>>>>> using PF_RING correctly, but i'm still seeing packet loss (around 25%
>>>>> on
>>>>> a
>>>>> 400-450mb/s link).   I was only ever able to get Bro working with
>>>>> "Transparent mode = 0" and not 2 or 1.  I might be doing something
>>>>> completely wrong, but whenever i start BRO, i only ever see one thread
>>>>> peaking at 100%. Here is my node configuration:
>>>>>
>>>>> [worker-0]
>>>>> type=worker
>>>>> host=10.10.10.10
>>>>> interface=eth3
>>>>> lb_method=pf_ring
>>>>> lb_procs=12
>>>>>
>>>>> Any ideas as to why i'm only getting one thread seeing the bro traffic?
>>>>> Excuse my ignorance.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> JB
>>>>>
>>>>>
>>>>> On Thu, Aug 28, 2014 at 7:06 PM, Joe Blow <blackhole.em at gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Doug Burks was quick to point out that i didn't export LIBS or
>>>>>> LDFLAGS.
>>>>>>
>>>>>> I would have NEVER guessed this... thanks a thousand times over for
>>>>>> this
>>>>>> tidbit.  Configure finished just fine.  Making now.  Will update once
>>>>>> i've
>>>>>> got it up and load balanced.
>>>>>>
>>>>>> <code>
>>>>>>
>>>>>> export LDFLAGS="-Wl,--no-as-needed -lrt"
>>>>>>
>>>>>> export LIBS="-lrt -lnuma"
>>>>>>
>>>>>> </code>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> JB
>>>>>>
>>>>>>
>>>>>> On Thu, Aug 28, 2014 at 6:52 PM, Doug Burks <doug.burks at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi Joe,
>>>>>>>
>>>>>>> When I packaged Bro 2.3 and PF_RING 6.0.2, I had to do the following:
>>>>>>>
>>>>>>> export LDFLAGS := $(LDFLAGS) -Wl,--no-as-needed -lrt
>>>>>>> export LIBS := $(LIBS) -lrt -lnuma
>>>>>>>
>>>>>>> Depending on your configuration, you may also need to include
>>>>>>> -lpthread in your LIBS.
>>>>>>>
>>>>>>> On Thu, Aug 28, 2014 at 5:52 PM, Joe Blow <blackhole.em at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hey all,
>>>>>>>>
>>>>>>>> I'm having a really tough time getting PF_RING working with Bro in a
>>>>>>>> threaded fashion.  I have PF_RING compiled and working fine (tcpdump
>>>>>>>> test
>>>>>>>> works fine with Transparent mode = 2):
>>>>>>>>
>>>>>>>> PF_RING Version          : 6.0.2 ($Revision: exported$)
>>>>>>>> Total rings              : 0
>>>>>>>>
>>>>>>>> Standard (non DNA) Options
>>>>>>>> Ring slots               : 4096
>>>>>>>> Slot version             : 16
>>>>>>>> Capture TX               : No [RX only]
>>>>>>>> IP Defragment            : No
>>>>>>>> Socket Mode              : Standard
>>>>>>>> Transparent mode         : No [mode 2]
>>>>>>>> Total plugins            : 0
>>>>>>>> Cluster Fragment Queue   : 0
>>>>>>>> Cluster Fragment Discard : 0
>>>>>>>>
>>>>>>>> Bro is version 2.3 (sha1 - 79397be0e351165d44047b044d29b5e6580532cc
>>>>>>>> bro-2.3.tar.gz)
>>>>>>>> OS is CentOS 6.4 running 2.6.32-358.11.1.el6.x86_64
>>>>>>>>
>>>>>>>> When I try and configure against my PF_RING libraries, I get this:
>>>>>>>>
>>>>>>>> ./configure --with-pcap=/opt/pfring
>>>>>>>> Build Directory : build
>>>>>>>> Source Directory: /root/src/bro-2.3
>>>>>>>> -- The C compiler identification is GNU
>>>>>>>> -- The CXX compiler identification is GNU
>>>>>>>> -- Check for working C compiler: /usr/bin/gcc
>>>>>>>> -- Check for working C compiler: /usr/bin/gcc -- works
>>>>>>>> -- Detecting C compiler ABI info
>>>>>>>> -- Detecting C compiler ABI info - done
>>>>>>>> -- Check for working CXX compiler: /usr/bin/c++
>>>>>>>> -- Check for working CXX compiler: /usr/bin/c++ -- works
>>>>>>>> -- Detecting CXX compiler ABI info
>>>>>>>> -- Detecting CXX compiler ABI info - done
>>>>>>>> -- Found sed: /bin/sed
>>>>>>>> -- Found Perl: /usr/bin/perl
>>>>>>>> -- Found FLEX: 2.5.35
>>>>>>>> -- Found BISON: /usr/bin/bison
>>>>>>>> -- Found PCAP: /opt/pfring/lib/libpcap.so
>>>>>>>> -- Performing Test PCAP_LINKS_SOLO
>>>>>>>> -- Performing Test PCAP_LINKS_SOLO - Failed
>>>>>>>> -- Looking for include files CMAKE_HAVE_PTHREAD_H
>>>>>>>> -- Looking for include files CMAKE_HAVE_PTHREAD_H - found
>>>>>>>> -- Looking for pthread_create in pthreads
>>>>>>>> -- Looking for pthread_create in pthreads - not found
>>>>>>>> -- Looking for pthread_create in pthread
>>>>>>>> -- Looking for pthread_create in pthread - found
>>>>>>>> -- Found Threads: TRUE
>>>>>>>> -- Performing Test PCAP_NEEDS_THREADS
>>>>>>>> -- Performing Test PCAP_NEEDS_THREADS - Failed
>>>>>>>> CMake Error at cmake/FindPCAP.cmake:61 (message):
>>>>>>>>    Couldn't determine how to link against libpcap
>>>>>>>> Call Stack (most recent call first):
>>>>>>>>    cmake/FindRequiredPackage.cmake:26 (find_package)
>>>>>>>>    CMakeLists.txt:52 (FindRequiredPackage)
>>>>>>>>
>>>>>>>>
>>>>>>>> -- Configuring incomplete, errors occurred!
>>>>>>>>
>>>>>>>> I'm banging my head against this, but I believe this is because bro
>>>>>>>> can't
>>>>>>>> find the threading library to link to.  Could someone point me in
>>>>>>>> the
>>>>>>>> right
>>>>>>>> direction?  Do I need other threading libraries? Static linking?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> JB
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Bro mailing list
>>>>>>>> bro at bro-ids.org
>>>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Doug Burks
>>>>>>> Need Security Onion Training or Commercial Support?
>>>>>>> http://securityonionsolutions.com
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Doug Burks
>>>> Need Security Onion Training or Commercial Support?
>>>> http://securityonionsolutions.com
>>>>
>>>
>>>
>>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140829/e4aa6d31/attachment.html 


More information about the Bro mailing list