[Bro] PF_RING Help Needed
Philip Romero
promero at cenic.org
Thu Oct 12 14:14:26 PDT 2017
All,
I've been meaning to get PF_RING going for a while and am now trying to
focus on getting it working. Until now I've been running the
"standalone" [bro] config at the top of my node.cfg output below. I've
been thru the past threads and came across some info related to output
that might confirm if pf_ring and bro were compiled together correctly.
Below I've add the output of some of the commands suggested for input on
troubleshooting the issue.
I suspect an error in some part of my config or setup since I don't get
any usable logs when the load-balance/pf_ring node.cfg setting are
enabled. If I comment them out and do a broctl deploy usable logs
immediately appear in my log directory. Any hints or suggestions as to
why my pf_ring configuration is not working would be greatly
appreciated. Let me know if any additional details I need to provide
would help shed some light on my issue.
[root at xxx-bro-1 etc]# *cat node.cfg*
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly
changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
#[bro]
#type=standalone
#host=localhost
#interface=ens2f0
## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.
#[logger]
#type=logger
#host=localhost
#
[manager]
type=manager
host=localhost
#
[proxy-1]
type=proxy
host=localhost
#
[worker-1]
lb_method=pf_ring
lb_procs=4
pin_cpus=4,5,6,7
type=worker
host=localhost
interface=ens2f0
#
#[worker-2]
#type=worker
#host=localhost
#interface=eth0
[root at xxx-bro-1 etc]#
[root at xxx-bro-1 etc]# *broctl status*
Name Type Host Status Pid Started
manager manager localhost running 24982 12 Oct 13:51:46
proxy-1 proxy localhost running 25040 12 Oct 13:51:48
worker-1-1 worker localhost running 25123 12 Oct 13:51:49
worker-1-2 worker localhost running 25126 12 Oct 13:51:49
worker-1-3 worker localhost running 25124 12 Oct 13:51:49
worker-1-4 worker localhost running 25125 12 Oct 13:51:49
[root at xxx-bro-1 etc]# *broctl config | grep pfring*
pfringclusterid = 21
pfringclustertype = 4-tuple
pfringfirstappinstance = 0
[root at xxx-bro-1 etc]# *ldd /usr/local/bro/bin/bro*
linux-vdso.so.1 => (0x00007ffeaabf8000)
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f9c52470000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007f9c521f5000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f9c51d94000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f9c51b7a000)
libz.so.1 => /lib64/libz.so.1 (0x00007f9c51963000)
libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f9c51733000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9c51517000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f9c51312000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f9c5100a000)
libm.so.6 => /lib64/libm.so.6 (0x00007f9c50d08000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f9c50af1000)
libc.so.6 => /lib64/libc.so.6 (0x00007f9c5072e000)
librt.so.1 => /lib64/librt.so.1 (0x00007f9c50526000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f9c502d8000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f9c4fff0000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f9c4fdec000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f9c4fbb8000)
/lib64/ld-linux-x86-64.so.2 (0x0000561284250000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f9c4f9aa000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f9c4f7a5000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f9c4f57e000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f9c4f31b000)
[root at xxx-bro-1 etc]# *cat /proc/net/pf_ring/**
Bound Device(s) : ens2f0
Active : 1
Breed : Standard
Appl. Name : bro-ens2f0
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Disabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 3940305
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.6.0]
Min Num Slots : 32768
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 270282752
Tot Packets : 468041
Tot Pkt Lost : 0
Tot Insert : 468041
Tot Read : 468041
Insert Offset : 53220976
Remove Offset : 53220976
Num Free Slots : 32768
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Bound Device(s) : ens2f0
Active : 1
Breed : Standard
Appl. Name : bro-ens2f0
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Disabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 3928875
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.6.0]
Min Num Slots : 32768
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 270282752
Tot Packets : 278361
Tot Pkt Lost : 0
Tot Insert : 278361
Tot Read : 278361
Insert Offset : 153697792
Remove Offset : 153697792
Num Free Slots : 32768
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Bound Device(s) : ens2f0
Active : 1
Breed : Standard
Appl. Name : bro-ens2f0
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Disabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 4036165
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.6.0]
Min Num Slots : 32768
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 270282752
Tot Packets : 497001
Tot Pkt Lost : 0
Tot Insert : 497001
Tot Read : 497001
Insert Offset : 217876744
Remove Offset : 217876744
Num Free Slots : 32768
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Bound Device(s) : ens2f0
Active : 1
Breed : Standard
Appl. Name : bro-ens2f0
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Disabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 3935048
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.6.0]
Min Num Slots : 32768
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 270282752
Tot Packets : 383337
Tot Pkt Lost : 0
Tot Insert : 383337
Tot Read : 383337
Insert Offset : 213239720
Remove Offset : 213239720
Num Free Slots : 32768
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
cat: /proc/net/pf_ring/dev: Is a directory
PF_RING Version : 6.6.0 (unknown)
Total rings : 4
Standard (non ZC) Options
Ring slots : 32768
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
cat: /proc/net/pf_ring/stats: Is a directory
[root at xxx-bro-1 etc]#
--
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171012/6f87444f/attachment-0001.html
More information about the Bro
mailing list