[Bro] bridge interface(br0) does not show SYN in bro

김희철 hckim at narusec.com
Wed Mar 30 18:44:41 PDT 2016 

Hi

I have setup bro 2.4.1 to monitor bridge interface(br0) with pf-ring
in the conn.log history field, there are lot of them missing 'S'
I did not have this problem with bro2.3 with same setup.

in bro 2.4.1 if I change br0 to physical NIC eth4, this problem goes away

is there a way to work around this?
has anyone encounter this kind of problem?


my setup is

cpu: AMD Opteron 6376    32core

ram: 64G
ubuntu 12.04.5
bro 2.4.1
pf-ring version-5.6.1, mode 0, RX+TX
intel NIC 4port (igb dirver)



*conn.log history count TOP 25 :*

  15265 Dd

   8796 D

7267 hadfF

   6558 hadf

   2629 FRa

   2294 Fr

   1938 hadFf

   1883 Fa

   1298 S

   1245 hadfFR

   1134 hf

   1067 d

   1043 -

   1001 F

    984 R

    858 hdf

    700 hdaFf

    667 FRr

    643 hdfFa

    608 ShADadFr

    568 ShADfFa

    517 r

    474 hadR

    416 hdafF

    393 hFf

    363 hdaf

    360 hadFR




*bro node.cfg*

[manager]

type=manager

host=localhost


[proxy-1]

type=proxy

host=localhost


[proxy-2]

type=proxy

host=localhost


[br0]

type=worker

host=localhost

interface=br0

lb_method=pf_ring

lb_procs=8

pin_cpus=2,3,4,5,6,7,8,9


*bro network.cfg*

192.168.0.0/16



*network NIC and bridge setup:*

rmmod igb && modprobe igb

modprobe pf_ring transparent_mode=0 enable_tx_capture=1


ifconfig eth4 down

ethtool -K eth4 rx off

ethtool -K eth4 tx off

ethtool -K eth4 sg off

ethtool -K eth4 tso off

ethtool -K eth4 gso off

ethtool -K eth4 gro off

ifconfig eth4 mtu 1514


ifconfig eth5 down

ethtool -K eth5 rx off

ethtool -K eth5 tx off

ethtool -K eth5 sg off

ethtool -K eth5 tso off

ethtool -K eth5 gso off

ethtool -K eth5 gro off

ifconfig eth5 mtu 1514


brctl addbr br0

brctl addif br0 eth4

ifconfig eth4 promisc up -multicast

brctl addif br0 eth5

ifconfig eth5 promisc up -multicast


ethtool stp br0 on


ethtool -K br0 sg off

ethtool -K br0 tso off

ethtool -K br0 gso off

ethtool -K br0 gro off

ethtool -K br0 lro off

ethtool -K br0 rxvlan off

ethtool -K br0 txvlan off

ifconfig br0 mtu 1514



ifconfig br0 promisc up -multicast


-- 
------------------------------------------------------
Hichul Kim 김희철 선임 연구원
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160331/88be652a/attachment.html

More information about the Bro mailing list