[Bro] Bro PF RING
Azoff, Justin S
jazoff at illinois.edu
Tue Sep 22 13:23:03 PDT 2015
> On Sep 22, 2015, at 4:10 PM, Davison, Charles Robert <cdaviso1 at vols.utk.edu> wrote:
>
> I am following the instructions on bro.org for the PF_Ring install and have completed the below steps so far. I have a question about the next few steps:
Looking good so far :-)
> How do i complete this?
> ...Refer to the documentation for your Linux distribution on how to load the pf_ring module at boot time.
For ubuntu this should work, place
modprobe pf_ring enable_tx_capture=0
in /etc/modules-load.d/pfring.conf
> Does this basically mean i need to use the steps below on all worker nodes?
> ...You will need to install the PF_RING library files and kernel module on all of the workers in your cluster.
Yes. If your manager does not have a capture interface you can skip the kernel steps on that machine, but you need to install all of the components on the workers.
> I already downloaded bro and installed /configured it.... is there a way to reconfigure bro without performing the below steps.
> • Download the Bro source code.
You will need to configure bro using
./configure --with-pcap=/opt/pfring
in order for it to link against pf_ring.
> • Configure and install Bro using the following commands:
> Steps Completed Thus Far on Ubuntu 14.04 LTS
> cd /usr/src
> sudo wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.0.3.tar.gz
> sudo tar zxvf PF_RING-6.0.3.tar.gz
> cd PF_RING-6.0.3/userland/lib
> ./configure --prefix=/opt/pfring
> make
> sudo make install
>
> cd ../libpcap
> ./configure --prefix=/opt/pfring
> make
> sudo make install
>
> cd ../tcpdump-4.1.1
> ./configure --prefix=/opt/pfring
> make
> sudo make install
>
> cd ../../kernel
> make
> sudo make install
>
> sudo modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
>
>
--
- Justin Azoff
More information about the Bro
mailing list