[Bro] PF_RING pfring_open() for Endace DAG

[Mike Patterson]

It depends on your DAG hardware. They can all do the load balancing, not all can duplicate the buckets to multiple streams.
On my 9.2X2, I have:

80 all

color 80 hash 0 stream 0,2,4,6,8
color 80 hash 1 stream 0,2,4,10,12
color 80 hash 2 stream 0,2,4,14,16
color 80 hash 3 stream 0,2,4,18,20
color 80 hash 4 stream 0,2,4,22,24
color 80 hash 5 stream 0,2,4,26,28
color 80 hash 6 stream 0,2,4,30,32
color 80 hash 7 stream 0,2,4,34,36

Snort listens to streams 6,10,14, etc.
Bro listens to streams 8,12,16, etc.
Streams 0,2,4 are for tcpdump like applications.

For a while I just had Bro listening on stream 4, and used some magic that Seth helped me with to have 6 workers listening to it, although he now tells me that it’s a terrible way to do things, so I won’t pain him by posting it here now - I think I have previously if you dig around a bit in the list archives.

(However, I’ve run out of useful cores on my box hosting the DAG, so I’m going to be taking a different approach, once I get the round tuits and meeting-free time - snort will be booted off this box and onto another one.)

Mike

-- 
Software never has flaws... it just sometimes has undocumented remote
administration capabilities.  - Tom Liston

On Mar 12, 2014, at 7:48 PM, Alex Waher <alexwis at gmail.com> wrote:

> I recall you can duplicate streams with DAG. Something like:
> 
> 100 all
> 200 all
> color 100 stream 2,4,6,8
> color 200 stream 0
> 
> ..and then have bro use a bpf filter upon the dag0:2,4,6,etc interfaces. Would take some more digging into the DAG docs to see if you could just outright apply hash load balancing across those streams as well. Etiher way, I'm pretty sure this can all be done directly within the DAG card with no need for pf_ring (the bro integration with pf_ring does make things wonderfully easy to setup though!)
> 
> -Alex
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro