[Bro] RHEL7 and AF_PACKET

erik clark philosnef at gmail.com
Sun Dec 11 16:56:42 PST 2016 

I have a bug report with RH. It is being worked on. It MAY make it into
7.4. The solution from RH is to use the elrepo kernel. I haven't been back
to work yet, but I may be getting a test kernel to work with to help get
this into the main branch earlier than 7.4. Per RH, the permanent fix isn't
that bad, it just touches on a bunch of things at once making it
undesireable to push into production immediately.

On Fri, Dec 9, 2016 at 10:23 PM, Ditch, Derek <derek.ditch at criticalstack.com
> wrote:

> Justin,
>
> I haven’t used your tool before. That’s interesting…I tested in my ROCK
> NSM dev VM and it failed. When I switched to the El Repo kernel it had no
> problem. On production sensors w/ AF_PACKET I get ~ 0.06% packet loss. I’ll
> have to dig deeper on this. Your go app fails on my production sensor too,
> but I never had sufficient packet loss to dig into it.
>
> Have you submitted an issue with Red Hat to get the fix backported? If so,
> can you post the bug tracker number?
>
> -Derek
>
> On 12/9/16, 18:02, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
>
>
>     > On Dec 9, 2016, at 5:57 PM, Ditch, Derek <
> derek.ditch at criticalstack.com> wrote:
>     >
>     > To be clear, AF_PACKET on RHEL7 and CentOS7 work extremely well w/
> Bro 2.5 and the af_packet plugin. It will not, however, work under RHEL 6
> because it uses the 2.x kernel.
>
>     Is this with a single worker or multiple workers?
>
>     A single worker would work fine, but as far as I can tell hash based
> fanout is broken.
>
>     If bro is working for you, any ideas why https://github.com/
> JustinAzoff/can-i-use-afpacket-fanout/ fails to run properly on Centos 7?
>
>     --
>     - Justin Azoff
>
>
>
> ________________________________________________________
>
> The information contained in this e-mail is confidential and/or
> proprietary to Capital One and/or its affiliates and may only be used
> solely in performance of work or services for Capital One. The information
> transmitted herewith is intended only for use by the individual or entity
> to which it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any review, retransmission,
> dissemination, distribution, copying or other use of, or taking of any
> action in reliance upon this information is strictly prohibited. If you
> have received this communication in error, please contact the sender and
> delete the material from your computer.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161211/463c6f60/attachment.html

More information about the Bro mailing list