[Bro] Using native PF_RING plugin with broctl

Jullian Remi remi.jullian at ssi.gouv.fr
Mon Feb 27 09:10:47 PST 2017 

When I set 'interface=eth0' and 'lb_method=pf_ring', the broctl deploy
command works, bro starts, but PF_RING is not used. Indeed, all workers
receive the same packets (i.e no load-balancing is performed).

When I cat the file /proc/net/pf_ring/info, the total number of rings
used is 0. Moreover, when I put a breakpoint within Source.cc:192
(PcapSource::ExtractNextPacket), I can see the call to the libpcap
function pcap_next(), which should never be called.

> I think you just need "interface=eth0". It knows to use pf_ring because
> of the next line.
> 
> 
> On Mon, Feb 27, 2017, 05:14 Jullian Remi <remi.jullian at ssi.gouv.fr
> <mailto:remi.jullian at ssi.gouv.fr>> wrote:
> 
>     Hi all,
> 
>     I am trying to use Bro's PF_RING plugin with broctl, using a simple bro
>     cluster on a single host.
> 
>     Here is an extract of my 'node.cfg' file:
> 
>     [worker]
>     type=worker
>     host=localhost
>     interface=pf_ring::eth0
>     lb_method=pf_ring
>     lb_procs=8
>     pin_cpus=0,1,2,3,4,5,6,7
> 
>     When I used the deploy command, I got the following error: "fatal error:
>     type of packet source 'pf_ring' no recognized, or mode not supported"
> 
>     Here is the output of the deploy command:
> 
>     [BroControl] > deploy
>     ...
>     starting ...
>     starting manager ...
>     starting proxy ...
>     starting worker-1
>     ...
>     starting worker-8
>     worker-1 terminated immediately after starting; check output with "diag"
>     ...
>     worker-8 terminated immediately after starting; check output with "diag"
> 
>     And when running "diag":
> 
>     [BroControl] > diag
> 
>     ==== stderr.log
>     fatal error: type of packet source 'pf_ring' no recognized, or mode not
>     supported
> 
> 
>     However I do not have any problem running bro as a standalone process
>     with local commands such as:
> 
>     $/usr/local/bro/bin/bro -i pf_ring::eth0
>     listening on eth0
> 
>     and:
> 
>     $/usr/local/bro/bin/bro -N | grep PF
>     Bro::PF_RING - Packet acquisition via PF_RING (dynamic, version 1.0)
> 
>     This tends to prove Bro plugin has been installed and works.
> 
>     I think Broctl is launching Bro binary without the right settings for
>     the plugin to be found/to work correctly. Am I missing something with
>     configuration files ?
>     May be the environment variables aren't properly set?
> 
>     Does anyone use bro's PF_RING plugin with a cluster configuration
>     without issues?
> 
>     Thanks,
> 
>     Rémi
> 
>     _______________________________________________
>     Bro mailing list
>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list