[Bro] Using native PF_RING plugin with broctl

Michael Shirk shirkdog.bsd at gmail.com
Tue Feb 28 05:40:26 PST 2017


I vote for updated documentation for the new plugin. What James posted is
how I would set it up, which would use pf_ring enabled libpcap.

--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Feb 28, 2017 4:33 AM, "Jullian Remi" <remi.jullian at ssi.gouv.fr> wrote:

> >
> >> On Feb 27, 2017, at 2:47 PM, Seth Hall <seth at icir.org> wrote:
> >>
> >>
> >>> On Feb 27, 2017, at 2:19 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
> wrote:
> >>>
> >>> When you built Bro did you also configure/make/make install the pf_ring
> >>> plugin? My recollection is that the plugins are not automatically built
> >>> when you build bro. They should be in the
> >>> <path-to-bro-source>/aux/plugins/ in the source tree. They typically
> >>> install into <path-to-bro>/lib/bro/plugins/.
> >>
> >> Are there people out there that are using the pf_ring plugin to
> successfully load balance traffic?  I just checked the source to that
> plugin and I don't see where it sets up a load balanced ring. (I haven't
> worked on this plugin at all)
> >
> > I can see from this thread that a number of people think they are using
> the plugin, but are not actually using it.
> >
> > interface = eth0          # pf_ring libpcap wrapper
> > interface = pf_ring::eth0 # native bro pf_ring plugin
> >
> >
>
> Indeed, this is what I try to underline with this thread, I also believe
> there is a glitch with the native PF_RING plugin.
>
> I think that the example pointed by James Lay is using PF_RING through
> the libpcap, but NOT with the native plugin. It can be proved by
> breaking within Source.cc:192, the PcapSource::ExtractNextPacket() and
> the underlaying pcap_next() function, should never be called, if the
> plugin is properly used.
>
> I would suggest using a libpcap compiled without PF_RING support, to
> avoid confusion. This is actually how I test the plugin.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170228/4f07b717/attachment.html 


More information about the Bro mailing list