[Bro] zbalance_ipc with multiple applications and Bro

[Adam Pumphrey]

You probably need to take a look at the PFRINGFirstAppInstance in broctl.cfg, it defaults to 0.  If you’re looking to use the second app instance created by zbalance_ipc you’ll need to set that option to 4.  

Also make sure the lb_method and lb_procs are set appropriately in node.cfg file, for example:

interface=zc:99
lb_method=pf_ring
lb_procs=4    # should be equivalent to the number of instances per ‘ring'

If you really want to use zero-copy you need to add the prefix “zc:” to the physical interface name; e.g.  zbalance_ipc -i zc:eth5.  There are other pre-req’s for that to work, like configuring huge memory pages and installing the pf_ring-aware ZC driver.  

I’ve been testing with ZC also but having issues with Bro reporting increased packet loss rates as soon I enable a configuration like this.  Not sure if this is a hashing mode conflict, NIC/driver configuration issue or what..  I’d be interested to hear about your (or anyone else’s) results with such a setup.   

Adam 

> On Feb 11, 2015, at 10:14 AM, Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
> 
> Hi.
> 
> I'm trying to start Bro and Suricata on one sensor, using the pf_ring
> ZC, like this
> 
> zbalance_ipc -i eth5 -c 99 -n 4,4 -m 1
> 
> where 99 is the cluster ID and -n <num>,<num> creates separate rings
> for each application. So far so good.
> 
> I should tell Bro to somehow bind to the zc:99 at 4, zc:99 at 5, zc:99 at 6,
> zc:99 at 7 interfaces. How can I do it?
> 
> Using zc:99 at 4 (AKA base, and let it increment automatically) does not work
> 
> fatal error: /opt/bro/bin/bro: problem with interface zc:99 at 4 -
> pcap_open_live: zc:99 at 4: No such device exists (SIOCGIFHWADDR: No such
> device)
> 
> Same for just zc:99 and not a surprise, Bro somehow needs to open
> sub-interfaces 4-7.
> 
> Is it even supported?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro