[Bro] Using native PF_RING plugin with broctl
Landy Bible
landy-bible at utulsa.edu
Mon Feb 27 04:02:29 PST 2017
I think you just need "interface=eth0". It knows to use pf_ring because of
the next line.
On Mon, Feb 27, 2017, 05:14 Jullian Remi <remi.jullian at ssi.gouv.fr> wrote:
> Hi all,
>
> I am trying to use Bro's PF_RING plugin with broctl, using a simple bro
> cluster on a single host.
>
> Here is an extract of my 'node.cfg' file:
>
> [worker]
> type=worker
> host=localhost
> interface=pf_ring::eth0
> lb_method=pf_ring
> lb_procs=8
> pin_cpus=0,1,2,3,4,5,6,7
>
> When I used the deploy command, I got the following error: "fatal error:
> type of packet source 'pf_ring' no recognized, or mode not supported"
>
> Here is the output of the deploy command:
>
> [BroControl] > deploy
> ...
> starting ...
> starting manager ...
> starting proxy ...
> starting worker-1
> ...
> starting worker-8
> worker-1 terminated immediately after starting; check output with "diag"
> ...
> worker-8 terminated immediately after starting; check output with "diag"
>
> And when running "diag":
>
> [BroControl] > diag
>
> ==== stderr.log
> fatal error: type of packet source 'pf_ring' no recognized, or mode not
> supported
>
>
> However I do not have any problem running bro as a standalone process
> with local commands such as:
>
> $/usr/local/bro/bin/bro -i pf_ring::eth0
> listening on eth0
>
> and:
>
> $/usr/local/bro/bin/bro -N | grep PF
> Bro::PF_RING - Packet acquisition via PF_RING (dynamic, version 1.0)
>
> This tends to prove Bro plugin has been installed and works.
>
> I think Broctl is launching Bro binary without the right settings for
> the plugin to be found/to work correctly. Am I missing something with
> configuration files ?
> May be the environment variables aren't properly set?
>
> Does anyone use bro's PF_RING plugin with a cluster configuration
> without issues?
>
> Thanks,
>
> Rémi
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170227/2c81af2c/attachment.html
More information about the Bro
mailing list