[Bro] bro and pf_ring zc configuration success stories
Azoff, Justin S
jazoff at illinois.edu
Thu Sep 28 07:12:25 PDT 2017
> On Sep 28, 2017, at 9:49 AM, radek <radoslawc at gmail.com> wrote:
>
> Yes, plugin is installed,
> root at u1604:~# /opt/bro/bin/bro -N | grep -v built-in
> Bro::PF_RING - Packet acquisition via PF_RING (dynamic, version 1.0)
>
> with worker definition:
> [worker-1]
> type=worker
> host=localhost
> interface=zc:27
> lb_method=pf_ring
> lb_procs=20
>
> I've double checked now and I'm able to start and all 20 threads are reported to be running in broctl.
Yes, but the plugin is only actually used when you have interface=pf_ring::...
If you are using interface=zc:27 then you're just opening the zc: interfaces using libpcap.
According to http://www.ntop.org/pf_ring/best-practices-for-using-bro_ids-with-pf_ring-zc-reliably/. You should run zbalance_ipc using dummy interfaces like
-r 0:dummy0 -r 1:dummy1 -r 2:dummy2 -r 3:dummy3
Then you would configure bro like
[worker-0]
type=worker
host=localhost
interface=pf_ring::dummy0
pin_cpus=1
[worker-1]
type=worker
host=localhost
interface=pf_ring::dummy1
pin_cpus=2
[worker-2]
type=worker
host=localhost
interface=pf_ring::dummy2
pin_cpus=3
[worker-3]
type=worker
host=localhost
interface=pf_ring::dummy3
pin_cpus=4
—
Justin Azoff
More information about the Bro
mailing list