[Bro] PF_RING pfring_open() for Endace DAG

Benjamin Wood ben.bt.wood at gmail.com
Thu Mar 13 06:44:56 PDT 2014 

Yeah. I was talking to our system admins, and we can't to this because
reasons...

We may be able to replicate the hash for bro and snort with our DAG (7.5),
but as it turns out, we are also running low on cores on that box. So we
are much better off trying to get new hardware to accomplish this.

I appreciate all the feedback. You guys are always very helpful with these
things.

Thanks Bros,
Ben


On Thu, Mar 13, 2014 at 8:07 AM, Mike Patterson <mike.patterson at uwaterloo.ca
> wrote:

> It depends on your DAG hardware. They can all do the load balancing, not
> all can duplicate the buckets to multiple streams.
> On my 9.2X2, I have:
>
> 80 all
>
> color 80 hash 0 stream 0,2,4,6,8
> color 80 hash 1 stream 0,2,4,10,12
> color 80 hash 2 stream 0,2,4,14,16
> color 80 hash 3 stream 0,2,4,18,20
> color 80 hash 4 stream 0,2,4,22,24
> color 80 hash 5 stream 0,2,4,26,28
> color 80 hash 6 stream 0,2,4,30,32
> color 80 hash 7 stream 0,2,4,34,36
>
> Snort listens to streams 6,10,14, etc.
> Bro listens to streams 8,12,16, etc.
> Streams 0,2,4 are for tcpdump like applications.
>
> For a while I just had Bro listening on stream 4, and used some magic that
> Seth helped me with to have 6 workers listening to it, although he now
> tells me that it's a terrible way to do things, so I won't pain him by
> posting it here now - I think I have previously if you dig around a bit in
> the list archives.
>
> (However, I've run out of useful cores on my box hosting the DAG, so I'm
> going to be taking a different approach, once I get the round tuits and
> meeting-free time - snort will be booted off this box and onto another one.)
>
> Mike
>
> --
> Software never has flaws... it just sometimes has undocumented remote
> administration capabilities.  - Tom Liston
>
> On Mar 12, 2014, at 7:48 PM, Alex Waher <alexwis at gmail.com> wrote:
>
> > I recall you can duplicate streams with DAG. Something like:
> >
> > 100 all
> > 200 all
> > color 100 stream 2,4,6,8
> > color 200 stream 0
> >
> > ..and then have bro use a bpf filter upon the dag0:2,4,6,etc interfaces.
> Would take some more digging into the DAG docs to see if you could just
> outright apply hash load balancing across those streams as well. Etiher
> way, I'm pretty sure this can all be done directly within the DAG card with
> no need for pf_ring (the bro integration with pf_ring does make things
> wonderfully easy to setup though!)
> >
> > -Alex
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140313/c94ee459/attachment.html

More information about the Bro mailing list