[Bro] how to get not duplicated packets

Mark Buchanan mabuchan at gmail.com
Fri Apr 27 10:22:08 PDT 2018 

>From of one of Justin's posts a while back (as I have struggled with this
numerous times) - this may or may not be the issue, but putting it out
there if it is as it has the same symptoms.

    [root at bro-dev ~]# broctl config | grep pfring
    pfringclusterid = 21
    pfringclustertype = 4-tuple
    ringfirstappinstance = 0

if you have pfringclusterid set to 0, that's the problem that was just
fixed.  You can easily workaround that by adding

PFRINGClusterID = 21

to your /usr/local/bro/etc/broctl.cfg

Mark

On Fri, Apr 27, 2018 at 9:59 AM Seong Hyeok Seo <pulgrims at gmail.com> wrote:

> Yes, I will do that.
>
> On Fri, 27 Apr 2018 at 11:54 PM Vlad Grigorescu <vlad at es.net> wrote:
>
>> Would you mind also sending your reply to the bro mailing list? That way
>> other people can also help you, and it will provide information to anyone
>> else that might run into this same issue in the future. Thanks.
>>
>> On Fri, Apr 27, 2018 at 2:49 PM, Seong Hyeok Seo <pulgrims at gmail.com>
>> wrote:
>>
>>> we’re working on 2 machines. we set one worker on a single server and a
>>> manager and a proxy on the other one.
>>> and actually we emailed to a pfring developer and they replied this...
>>> “it seems that Bro is not setting up a pf_ring cluster to distribute
>>> the traffic across the instances (it should call pfring_set_cluster),
>>> please write to the Bro mailing list as we are not maintaining that code
>>> sorry.”
>>>
>>>
>>> On Fri, 27 Apr 2018 at 11:33 PM Vlad Grigorescu <vlad at es.net> wrote:
>>>
>>>> Could you provide a bit more detail about your setup? Are the workers
>>>> all running on a single server, or are they distributed across multiple
>>>> servers?
>>>>
>>>> What I'm trying to determine is at what point the duplication is
>>>> happening.
>>>>
>>>> On Fri, Apr 27, 2018 at 9:47 AM, Seong Hyeok Seo <pulgrims at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi, we're doing a job that collecting traffic by using Bro and PF_RING
>>>>> , but  we found that each Bro worker got the same full traffic stream.
>>>>> We think the packet is duplicated as much as the process number that
>>>>> we set in a config file(bro/etc/node.cfg)
>>>>>
>>>>> These are OS, Bro, PF_RING Ver. that we're using.
>>>>>
>>>>>
>>>>> OS: CentOS 7.4.1708 (Core)
>>>>> Bro: 2.5.3
>>>>> PF RING: 7.1.0-1859
>>>>>
>>>>> we installed those things, referring this page,
>>>>> https://www.bro.org/documentation/load-balancing.html
>>>>> and node.cfg is like this
>>>>> ------------------------------------------
>>>>>
>>>>> [manager]
>>>>> type=manager
>>>>> host=X.X.X.X
>>>>>
>>>>> [proxy-1]
>>>>> type=proxy
>>>>> host=X.X.X.X
>>>>>
>>>>> [worker-1]
>>>>> type=worker
>>>>> host=X.X.X.X
>>>>> interface=eth0
>>>>> lb_method=pf_ring
>>>>> lb_procs=8
>>>>> --------------------------------------------------
>>>>>
>>>>> please, help us to fix this and thank you in advance.
>>>>>
>>>>> Sincerely,
>>>>> Seonghyoek
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>>>>
>>>>
>> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180427/5e96a3a3/attachment.html

More information about the Bro mailing list