[Bro] bro and pf_ring zc configuration success stories

radek radoslawc at gmail.com
Thu Sep 28 08:12:46 PDT 2017 

Hi!
Yes this was my initial setup (with dummy interfaces), I've used worker
definition like you've suggested (pf_ring::dummy{0..19}) - before I was
using interface=dummy{0..19}
It works, with the same traffic replayed, netstats:

https://gist.github.com/radoslawc/4ca4d2f8bb0e7a2e5763d53eb31b59de

so almost no drops,

capstats returns nothing with interface=pf_ring::dummy{0..19}, with
interface=dummy{0..19} it worked, but that's not the issue.

Here's htop btw:
https://imgur.com/a/99ETo

My question is with using dummy interfaces, doesn't it defeat purpose of
zerocopy? It has to pass packets trough kernel to dummy interface.

Also I've used worker definition for 20 of them:

[worker-0]
type=worker
host=localhost
interface=pf_ring::zc:27 at 0
pin_cpus=1

and result was identical as with using:

[worker-0]
type=worker
host=localhost
interface=zc:27
lb_method=pf_ring
lb_procs=20

meaning all used cores loaded at 100% and instant high packet drop:

netstats from broctl:
https://gist.github.com/radoslawc/c7d5c97fe443b1bed62ca4025249a342

Best regards
Rado



On 28 September 2017 at 16:12, Azoff, Justin S <jazoff at illinois.edu> wrote:

>
> > On Sep 28, 2017, at 9:49 AM, radek <radoslawc at gmail.com> wrote:
> >
> > Yes, plugin is installed,
> > root at u1604:~# /opt/bro/bin/bro -N | grep -v built-in
> > Bro::PF_RING - Packet acquisition via PF_RING (dynamic, version 1.0)
> >
> > with worker definition:
> > [worker-1]
> > type=worker
> > host=localhost
> > interface=zc:27
> > lb_method=pf_ring
> > lb_procs=20
> >
> > I've double checked now and I'm able to start and all 20 threads are
> reported to be running in broctl.
>
> Yes, but the plugin is only actually used when you have
> interface=pf_ring::...
>
> If you are using interface=zc:27 then you're just opening the zc:
> interfaces using libpcap.
>
> According to http://www.ntop.org/pf_ring/best-practices-for-using-bro_
> ids-with-pf_ring-zc-reliably/. You should run zbalance_ipc using dummy
> interfaces like
>
> -r 0:dummy0 -r 1:dummy1 -r 2:dummy2 -r 3:dummy3
>
> Then you would configure bro like
>
> [worker-0]
> type=worker
> host=localhost
> interface=pf_ring::dummy0
> pin_cpus=1
>
> [worker-1]
> type=worker
> host=localhost
> interface=pf_ring::dummy1
> pin_cpus=2
>
> [worker-2]
> type=worker
> host=localhost
> interface=pf_ring::dummy2
> pin_cpus=3
>
> [worker-3]
> type=worker
> host=localhost
> interface=pf_ring::dummy3
> pin_cpus=4
>
>
>
>> Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170928/2c91475a/attachment.html

More information about the Bro mailing list