[Bro] PF_RING ZC Config

Slagell, Adam J slagell at illinois.edu
Fri Jul 8 12:23:39 PDT 2016


Thanks. I don’t want to forget to come back to this.

> On Jul 8, 2016, at 12:57 PM, Gary Faulkner <gfaulkner.nsm at gmail.com> wrote:
> 
> https://bro-tracker.atlassian.net/browse/BIT-1642
> 
> 
> On 7/8/16 12:35 PM, Slagell, Adam J wrote:
>> Could you create a ticket for this in the tracker?
>> 
>> On Jul 8, 2016, at 12:26 PM, Gary Faulkner <gfaulkner.nsm at gmail.com<mailto:gfaulkner.nsm at gmail.com>> wrote:
>> 
>> 
>> Related to Dave's query, but not really an answer, sorry Dave...
>> 
>> It might be worth revisiting this doc and updating for ZC:
>> 
>> https://www.bro.org/documentation/load-balancing.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bro.org_documentation_load-2Dbalancing.html&d=CwMD-g&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=jKm5KEaN1h0UfG6EGbAMSpW5NbXR4pzULAvbXFWNnvg&s=x-uS-7-lC174enHZ7TiRa3RLswl6nRsyBvGQ2_T2W-E&e=>
>> 
>> A few things have changed on the PF_RING DNA side in broctl in regards to naming support "dnacl" instead of "dnacluster" due to problems with name length for dnaclusters with greater than 10 queues, and with the most recent releases of PF_RING (6.4+), DNA appears to have been removed finally in favor of the newer ZC according to the change notes. From what I recall reading I don't believe it is terribly different outside of substituting ZC drivers (and tweaking huge-pages in the driver load script) in favor of DNA, and using zbalance_ipc instead of pfdnacluster_master. I want to say the naming in node.cfg becomes zc:<clusterid> instead of dnacl:<clusterid>.
>> 
>> Also, speaking of ZC, NTOP has a blog post that might be worth taking a look at concerning alternate ways of implementing ZC / zbalance_ipc with bro to work around a problem that can occur when bro workers crash and get automatically restarted.
>> 
>> http://www.ntop.org/pf_ring/best-practices-for-using-bro_ids-with-pf_ring-zc-reliably/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ntop.org_pf-5Fring_best-2Dpractices-2Dfor-2Dusing-2Dbro-5Fids-2Dwith-2Dpf-5Fring-2Dzc-2Dreliably_&d=CwMD-g&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=jKm5KEaN1h0UfG6EGbAMSpW5NbXR4pzULAvbXFWNnvg&s=oOBYvlJMigTXYIzqgtcGz3iNzZpTQrMlSPBWRYkOFA4&e=>
>> 
>> I haven't quite made the transition to ZC from DNA yet, otherwise I'd take a stab at submitting updated docs and trying to assist more here. I have plans to make the switch later this summer though.
>> 
>> ~Gary
>> 
>> On 7/7/16 5:25 PM, Dave Crawford wrote:
>> 
>> Just wanted to update the list that I quit spending cycles on this and for the time being reverted back to running our clusters with the non-commercial version of pf_ring.
>> 
>> I can only comment on my experience, but I discovered there is an extreme lack of quality documentation and the "commercial support" that came with the 10 licenses was nearly non-existent.
>> 
>> Lessons have been learned and when the need to expand comes we'll be looking at other commercial solutions to replace our X520's with.
>> 
>> -Dave
>> 
>> 
>> 
>> On Jun 24, 2016, at 8:28 AM, Dave Crawford <bro at pingtrip.com><mailto:bro at pingtrip.com> wrote:
>> 
>> Would anyone happen to have documentation for configuring ZC and Bro? I have NTop's PF_RING and ixgbe driver packages installed, the proper license in /etc/pf_ring, and have compiled Bro with the NTop libraries but I'm seeing the kernel error below along with a ton of “split routing” messages in weird.conf, so I suspect the flows aren’t being load balanced correctly.
>> 
>> Jun 22 15:10:03 win-csignsm-01 kernel: [11060.244524] [PF_RING] Unable to activate two or more ZC sockets on the same interface eth6/link direction
>> 
>> The monitored NIC is an Intel X520-LR1.
>> 
>> Contents of /etc/pf_ring/zc/ixgbe/ixgbe.conf:
>> RSS=10 allow_unsupported_sfp=0
>> 
>> Contents of /etc/pf_ring/hugepages.conf
>> node=1 hugepages=1024
>> 
>> 
>> And Bro is configured as:
>> [MID_INT]
>> type=worker
>> host=10.20.30.123
>> interface=zc:eth6
>> lb_method=pf_ring
>> lb_procs=10
>> pin_cpus=10,11,12,13,14,15,16,17,18,19
>> 
>> Thanks!
>> -Dave
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org<mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=CwMD-g&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=jKm5KEaN1h0UfG6EGbAMSpW5NbXR4pzULAvbXFWNnvg&s=V2Ec5cOcnYqN7P3EpauWtYZUCrRNMUzy_pvRrgdH_C8&e=>
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org<mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=CwMD-g&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=jKm5KEaN1h0UfG6EGbAMSpW5NbXR4pzULAvbXFWNnvg&s=V2Ec5cOcnYqN7P3EpauWtYZUCrRNMUzy_pvRrgdH_C8&e=>
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org<mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>> ------
>> 
>> Adam J. Slagell
>> Chief Information Security Officer
>> Director, Cybersecurity Division
>> National Center for Supercomputing Applications
>> University of Illinois at Urbana-Champaign
>> www.slagell.info<http://www.slagell.info>
>> 
>> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
> 

------

Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 











More information about the Bro mailing list