[Bro] Bro node.cfg not setting Myricom Sniffer10G environment variables

Seth Hall seth at corelight.com
Fri Jun 23 18:23:05 PDT 2017


You could also try the bro-myricom plugin from the Bro package
repository.  If you have bro-pkg set up, you should be able to do
this...

bro-pkg refresh
bro-pkg install sethhall/bro-myricom

There is documentation on how to use it here:
    https://github.com/sethhall/bro-myricom

You only configure the data ring size in it.  For some reason they
don't expose the desc ring size option through their native SNF api,
only the data ring size.  I'm going to go out on a limb here and guess
that you may be experiencing weird behavior because they probably want
to get rid of the desc ring size option.  It makes more sense if they
just auto adjust that based on the chosen data ring size.

  .Seth


On Thu, Jun 22, 2017 at 5:23 PM, Chris Chiaverini <cchiaverini at bnl.gov> wrote:
> Rollback!!!!
>
> Myricom opened an internal ticket on their end so hopefully we will see
> a bugfix soon.
>
> Regards,
>
> Chris Chiaverini
> Cyber Security Operations
> Brookhaven National Laboratory
> Upton, New York 11973
>
> On 06/21/2017 07:59 PM, Aashish Sharma wrote:
>> Doh! I just upgraded the myricom drivers to 3.0.11 today only :)
>>
>> Aashish
>>
>> On Wed, Jun 21, 2017 at 06:31:50PM -0400, Chris Chiaverini wrote:
>>> Alex,
>>>
>>> Thank you for this.  I confirmed on my end too... rolled back to 3.0.10 and
>>> it worked.   I will let you know what Myricom comes up with, if they will
>>> fix in next release.
>>>
>>>
>>> Regards,
>>>
>>> Chris Chiaverini
>>> Cyber Security Operations
>>> Brookhaven National Laboratory
>>> Upton, New York 11973
>>>
>>> On 06/20/2017 11:01 AM, Chris Chiaverini wrote:
>>>> I have a support case open with them in parallel.  I will report this to
>>>> them too.  Maybe we'll get a fix in next minor release.
>>>>
>>>> Regards,
>>>>
>>>> Chris Chiaverini
>>>> Cyber Security Operations
>>>> Brookhaven National Laboratory
>>>> Upton, New York 11973
>>>> On 06/20/2017 10:09 AM, Alejandro Carreno wrote:
>>>>> I noticed this behavior as well a while back after upgrading SNF from
>>>>> 3.0.10 to 3.0.11. Downgrading back to 3.0.10 would return the ring sizes
>>>>> to the expected values.
>>>>>
>>>>> -Alex
>>>>>
>>>>> On Tue, Jun 20, 2017 at 6:47 AM Azoff, Justin S <jazoff at illinois.edu
>>>>> <mailto:jazoff at illinois.edu>> wrote:
>>>>>
>>>>>
>>>>>     > On Jun 20, 2017, at 9:27 AM, Chris Chiaverini
>>>>>     <cchiaverini at bnl.gov <mailto:cchiaverini at bnl.gov>> wrote:
>>>>>     >
>>>>>     > It seems that bro 2.5.1 is not taking the SNF_DATARING_SIZE
>>>>>     variable, no matter what I set it to.
>>>>>     >
>>>>>     > When at the defaults in the /etc/bro/node.cfg and with nothing
>>>>>     set at the shell, it still reports it is set via "userset"
>>>>>     instead of "default" like SNF_DESCRING_SIZE.
>>>>>
>>>>>     Can you do this quick test using tcpdump to verify the problem is
>>>>>     with bro/broctl or something with the myricom driver/library?
>>>>>
>>>>>     SNF_APP_ID=10 SNF_FLAGS=0x1 SNF_NUM_RINGS=8 SNF_DEBUG_MASK=3
>>>>>     SNF_DATARING_SIZE=4294967296 SNF_DESCRING_SIZE=1073741824 tcpdump
>>>>>     -n -i snf0 -c 1
>>>>>
>>>>>     When I run that I get
>>>>>
>>>>>     23681 snf.0.-1 P (userset)              SNF_PORTNUM = 0
>>>>>     23681 snf.0.-1 P (default)              SNF_RING_ID = -1 (0xffffffff)
>>>>>     23681 snf.0.-1 P (environ)            SNF_NUM_RINGS = 8 (0x8)
>>>>>     23681 snf.0.-1 P (default)            SNF_RSS_FLAGS = 49 (0x31)
>>>>>     23681 snf.0.-1 P (environ)        SNF_DATARING_SIZE = 4294967296
>>>>>     (0x100000000) (4096.0 MiB)
>>>>>     23681 snf.0.-1 P (environ)        SNF_DESCRING_SIZE = 1073741824
>>>>>     (0x40000000) (1024.0 MiB)
>>>>>     23681 snf.0.-1 P (userset)                SNF_FLAGS = 1 (0x1)
>>>>>     23681 snf.0.-1 P (environ)           SNF_DEBUG_MASK = 3 (0x3)
>>>>>     23681 snf.0.-1 P (default)       SNF_DEBUG_FILENAME = stderr
>>>>>     23681 snf.0.-1 P (environ)               SNF_APP_ID = 10 (0xa)
>>>>>
>>>>>
>>>>>
>>>>>     --
>>>>>     - Justin Azoff
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     Bro mailing list
>>>>>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>>>>>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com


More information about the Bro mailing list