[Bro] Using native PF_RING plugin with broctl

James Lay jlay at slave-tothe-box.net
Mon Feb 27 12:49:52 PST 2017 

On 2017-02-27 12:47, Seth Hall wrote:
>> On Feb 27, 2017, at 2:19 PM, Gary Faulkner <gfaulkner.nsm at gmail.com> 
>> wrote:
>> 
>> When you built Bro did you also configure/make/make install the 
>> pf_ring
>> plugin? My recollection is that the plugins are not automatically 
>> built
>> when you build bro. They should be in the
>> <path-to-bro-source>/aux/plugins/ in the source tree. They typically
>> install into <path-to-bro>/lib/bro/plugins/.
> 
> Are there people out there that are using the pf_ring plugin to
> successfully load balance traffic?  I just checked the source to that
> plugin and I don't see where it sets up a load balanced ring. (I
> haven't worked on this plugin at all)
> 
>   .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


 From my install notes:
###pfring
git clone https://github.com/ntop/PF_RING.git

cd PF_RING/kernel
make
sudo make install

cd PF_RING/userland/lib
./configure --prefix=/opt/pfring
make
sudo make install

cd ../libpcap
./configure --prefix=/opt/pfring
make
sudo make install

cd ../tcpdump
./configure --prefix=/opt/pfring
make
sudo make install

modprobe pf_ring enable_tx_capture=1 min_num_slots=32768
####

###bro
./configure --prefix=/opt/bro --with-pcap=/opt/pfring

pf_ring plugin
cd aux/plugins/pf_ring
./configure --bro-dist=../../.. --with-pfring=/opt/pfring 
--install-root=/opt/bro/lib/bro/plugins
sudo make install
####

1 worker from node.cfg:

[worker-1]
type=worker
host=localhost
interface=enp132s0
lb_method=pf_ring
lb_procs=6
pin_cpus=1,3,5,7,9,11


/proc/net/pf_ring/info:

PF_RING Version          : 6.5.0 
(dev:ab85fa090f7e1a9a66478815b82db6fa001a5b29)
Total rings              : 9

Standard (non ZC) Options
Ring slots               : 4096
Slot version             : 16
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Total plugins            : 0
Cluster Fragment Queue   : 19736
Cluster Fragment Discard : 0


James

More information about the Bro mailing list