[Bro] How to use PF_RING multi?
Thomas, Eric D
edthoma at sandia.gov
Mon Nov 17 15:04:46 PST 2014
I have not yet tried zbalance (I will someday) because I¹m now told that
the packet stream is flow balanced upstream of the sensor. Each interface
(em1 and em2) will get bi-directional flows. Each will get half of the
total flows. So, can I have separate Bro pf_ring configs for each
interface? That is, will the below node.cfg work? It is starting 8 worker
procs as expected, but I¹m not sure whether bro is doing what I think it
would with this config.
[manager]
type=manager
host=10.0.0.1
[proxy-1]
type=proxy
host=10.0.0.1
[bro-em1]
type=worker
host=10.0.0.1
interface=zc:em1
lb_method=pf_ring
lb_procs=4
[bro-em2]
type=worker
host=10.0.0.1
interface=zc:em2
lb_method=pf_ring
lb_procs=4
--
Eric Thomas
edthoma at sandia.gov
On 11/13/14, 12:17 PM, "Seth Hall" <seth at icir.org> wrote:
>
>I'm afraid we don't have a terribly elegant method to do that with
>PF_Ring right now. You could use their ZC module and do the load
>balancing in userspace with their zbalance_ipc tool (or whatever it's
>called). I think that can merge traffic and distribute it out and we
>support sniffing from ZC load balanced interfaces.
>
>This is yet another area where our upcoming packet-bricks tool will make
>life easier. I just wish it was ready for people to generally use. :/
>
> .Seth
>
>--
>Seth Hall
>International Computer Science Institute
>(Bro) because everyone has a network
>http://www.bro.org/
>
More information about the Bro
mailing list