[Bro] Cluster+PF_RING doubt

Martin Andreoni martin at gta.ufrj.br
Fri Feb 21 15:08:28 PST 2014 

Hello community , I will ask you a newbie question about Bro and PF_RING

I am working in Bro Cluster topology, as it can be seen in the figure 
attached or in http://www.freeimagehosting.net/newuploads/oevq9.png, all 
are XEN virtual machines working with the PF_Ring.
My intention is to make a load balancing. I am doing a UDP Flood attack 
from several machines in the 123.123.X.X network to one victim in the 
192.168.1.X network. As you can imagine, I need to deviate the traffic 
to a Bro cluster to analyze it.
As it can be seen in the figure, I put a worker sniffing the eth4 
interface from the TAP (worker-5 is in the TAP VM). So here is my doubt. 
Should Bro, through the PF_RING lib, automatically load balancing the 
traffic to all workers? or there is a mistake in my topology? As it is 
working now, I am just receiving all flow in the worker-5 and there is 
no balancing.

  Thanks for your help.

Below are the commands showing that Bro+PF_ring are working:
*
[BroControl] > status*
Name         Type       Host          Status    Pid Peers  Started
manager      manager    192.168.0.61  running   25665 4      20 Feb 17:15:44
proxy-1      proxy      192.168.0.61  running   25712 4      20 Feb 17:15:47
worker-2     worker     192.168.0.62  running   12326 2      20 Feb 17:15:55
worker-3     worker     192.168.0.64  running   22115 2      20 Feb 17:15:58
worker-4     worker     192.168.0.61  running   25768 2      20 Feb 17:15:59
worker-5     worker     192.168.0.100 running   15901 2      20 Feb 17:16:02
*
**root at manager:/usr/local/bro/etc# broctl config |grep pfring*
pfringclusterid = 15
pfringclustertype = 4-tuple

*root at manager:/usr/local/bro/etc# cat node.cfg*
#Cluster Config

[manager]
type=manager
host=192.168.0.61

[proxy-1]
type=proxy
host=192.168.0.61

[worker-2]
type=worker
host=192.168.0.62
interface=eth2
lb_method=pf_ring

[worker-3]
type=worker
host=192.168.0.64
interface=eth2
lb_method=pf_ring

[worker-4]
type=worker
host=192.168.0.61
interface=eth2
lb_method=pf_ring

[worker-5]
type=worker
host=192.168.0.100
interface=eth4
lb_method=pf_ring

*root at Test1:# ldd /usr/local/bro/bin/bro | grep pcap**
*    libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f596d4e3000)


*root at worker-5:/proc/net/pf_ring# cat 15901-eth4.115 *
Bound Device(s)    : eth4
Active             : 1
Breed              : Non-DNA
Sampling Rate      : 1
Capture Direction  : RX+TX
Socket Mode        : RX+TX
Appl. Name         : <unknown>
IP Defragment      : No
BPF Filtering      : Enabled
# Sw Filt. Rules   : 0
# Hw Filt. Rules   : 0
Poll Pkt Watermark : 1
Num Poll Calls     : 4053459
Channel Id Mask    : 0xFFFFFFFF
Cluster Id         : 15
Slot Version       : 15 [5.6.3]
Min Num Slots      : 8151
Bucket Len         : 8192
Slot Len           : 8232 [bucket+header]
Tot Memory         : 67108864
Tot Packets        : 963
Tot Pkt Lost       : 0
Tot Insert         : 963
Tot Read           : 963
Insert Offset      : 298168
Remove Offset      : 298168
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0
Num Free Slots     : 8151



-- 

  

------------------------------------------------------------------------

  

*Martin Andreoni  *

/Msc. Student/

/Grupo de Teleinformática e Automação (GTA)/

/Programa de Engenharia Elétrica (PEE)/

/Universidade Federal do Rio de Janeiro (UFRJ)/

/www.gta.ufrj.br/~martin  <http://www.gta.ufrj.br/%7Emartin>/









-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140221/4427b02f/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PF_RING.png
Type: image/png
Size: 45946 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140221/4427b02f/attachment.bin

More information about the Bro mailing list