[Bro] Bro node.cfg not setting Myricom Sniffer10G environment variables

Alejandro Carreno acarreno at ucsb.edu
Mon Jun 26 07:41:41 PDT 2017


Negative, noticed in 2.5 when 3.0.11 was released.

-Alex

On Mon, Jun 26, 2017 at 7:12 AM Edgmand, Craig <craig.edgmand at okstate.edu>
wrote:

> Does this only impact Bro 2.5.1?
>
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Seth
> Hall
> Sent: Friday, June 23, 2017 8:23 PM
> To: Chris Chiaverini <cchiaverini at bnl.gov>
> Cc: bro <bro at bro.org>
> Subject: Re: [Bro] Bro node.cfg not setting Myricom Sniffer10G environment
> variables
>
> You could also try the bro-myricom plugin from the Bro package
> repository.  If you have bro-pkg set up, you should be able to do this...
>
> bro-pkg refresh
> bro-pkg install sethhall/bro-myricom
>
> There is documentation on how to use it here:
>     https://github.com/sethhall/bro-myricom
>
> You only configure the data ring size in it.  For some reason they don't
> expose the desc ring size option through their native SNF api, only the
> data ring size.  I'm going to go out on a limb here and guess that you may
> be experiencing weird behavior because they probably want to get rid of the
> desc ring size option.  It makes more sense if they just auto adjust that
> based on the chosen data ring size.
>
>   .Seth
>
>
> On Thu, Jun 22, 2017 at 5:23 PM, Chris Chiaverini <cchiaverini at bnl.gov>
> wrote:
> > Rollback!!!!
> >
> > Myricom opened an internal ticket on their end so hopefully we will
> > see a bugfix soon.
> >
> > Regards,
> >
> > Chris Chiaverini
> > Cyber Security Operations
> > Brookhaven National Laboratory
> > Upton, New York 11973
> >
> > On 06/21/2017 07:59 PM, Aashish Sharma wrote:
> >> Doh! I just upgraded the myricom drivers to 3.0.11 today only :)
> >>
> >> Aashish
> >>
> >> On Wed, Jun 21, 2017 at 06:31:50PM -0400, Chris Chiaverini wrote:
> >>> Alex,
> >>>
> >>> Thank you for this.  I confirmed on my end too... rolled back to
> 3.0.10 and
> >>> it worked.   I will let you know what Myricom comes up with, if they
> will
> >>> fix in next release.
> >>>
> >>>
> >>> Regards,
> >>>
> >>> Chris Chiaverini
> >>> Cyber Security Operations
> >>> Brookhaven National Laboratory
> >>> Upton, New York 11973
> >>>
> >>> On 06/20/2017 11:01 AM, Chris Chiaverini wrote:
> >>>> I have a support case open with them in parallel.  I will report
> >>>> this to them too.  Maybe we'll get a fix in next minor release.
> >>>>
> >>>> Regards,
> >>>>
> >>>> Chris Chiaverini
> >>>> Cyber Security Operations
> >>>> Brookhaven National Laboratory
> >>>> Upton, New York 11973
> >>>> On 06/20/2017 10:09 AM, Alejandro Carreno wrote:
> >>>>> I noticed this behavior as well a while back after upgrading SNF
> >>>>> from
> >>>>> 3.0.10 to 3.0.11. Downgrading back to 3.0.10 would return the ring
> >>>>> sizes to the expected values.
> >>>>>
> >>>>> -Alex
> >>>>>
> >>>>> On Tue, Jun 20, 2017 at 6:47 AM Azoff, Justin S
> >>>>> <jazoff at illinois.edu <mailto:jazoff at illinois.edu>> wrote:
> >>>>>
> >>>>>
> >>>>>     > On Jun 20, 2017, at 9:27 AM, Chris Chiaverini
> >>>>>     <cchiaverini at bnl.gov <mailto:cchiaverini at bnl.gov>> wrote:
> >>>>>     >
> >>>>>     > It seems that bro 2.5.1 is not taking the SNF_DATARING_SIZE
> >>>>>     variable, no matter what I set it to.
> >>>>>     >
> >>>>>     > When at the defaults in the /etc/bro/node.cfg and with nothing
> >>>>>     set at the shell, it still reports it is set via "userset"
> >>>>>     instead of "default" like SNF_DESCRING_SIZE.
> >>>>>
> >>>>>     Can you do this quick test using tcpdump to verify the problem is
> >>>>>     with bro/broctl or something with the myricom driver/library?
> >>>>>
> >>>>>     SNF_APP_ID=10 SNF_FLAGS=0x1 SNF_NUM_RINGS=8 SNF_DEBUG_MASK=3
> >>>>>     SNF_DATARING_SIZE=4294967296 SNF_DESCRING_SIZE=1073741824 tcpdump
> >>>>>     -n -i snf0 -c 1
> >>>>>
> >>>>>     When I run that I get
> >>>>>
> >>>>>     23681 snf.0.-1 P (userset)              SNF_PORTNUM = 0
> >>>>>     23681 snf.0.-1 P (default)              SNF_RING_ID = -1
> (0xffffffff)
> >>>>>     23681 snf.0.-1 P (environ)            SNF_NUM_RINGS = 8 (0x8)
> >>>>>     23681 snf.0.-1 P (default)            SNF_RSS_FLAGS = 49 (0x31)
> >>>>>     23681 snf.0.-1 P (environ)        SNF_DATARING_SIZE = 4294967296
> >>>>>     (0x100000000) (4096.0 MiB)
> >>>>>     23681 snf.0.-1 P (environ)        SNF_DESCRING_SIZE = 1073741824
> >>>>>     (0x40000000) (1024.0 MiB)
> >>>>>     23681 snf.0.-1 P (userset)                SNF_FLAGS = 1 (0x1)
> >>>>>     23681 snf.0.-1 P (environ)           SNF_DEBUG_MASK = 3 (0x3)
> >>>>>     23681 snf.0.-1 P (default)       SNF_DEBUG_FILENAME = stderr
> >>>>>     23681 snf.0.-1 P (environ)               SNF_APP_ID = 10 (0xa)
> >>>>>
> >>>>>
> >>>>>
> >>>>>     --
> >>>>>     - Justin Azoff
> >>>>>
> >>>>>
> >>>>>     _______________________________________________
> >>>>>     Bro mailing list
> >>>>>     bro at bro-ids.org <mailto:bro at bro-ids.org>
> >>>>>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Bro mailing list
> >>>> bro at bro-ids.org
> >>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170626/57bd6833/attachment-0001.html 


More information about the Bro mailing list