[Bro] how to get not duplicated packets

Seong Hyeok Seo pulgrims at gmail.com
Sun Apr 29 18:08:59 PDT 2018


thanks a lot, Mark!
it’s solved by adding “PFRINGClusterID = 21” in the cfg file.
it works well!


2018년 4월 28일 토요일, Mark Buchanan<mabuchan at gmail.com>님이 작성한 메시지:

> From of one of Justin's posts a while back (as I have struggled with this
> numerous times) - this may or may not be the issue, but putting it out
> there if it is as it has the same symptoms.
>
>     [root at bro-dev ~]# broctl config | grep pfring
>     pfringclusterid = 21
>     pfringclustertype = 4-tuple
>     ringfirstappinstance = 0
>
> if you have pfringclusterid set to 0, that's the problem that was just
> fixed.  You can easily workaround that by adding
>
> PFRINGClusterID = 21
>
> to your /usr/local/bro/etc/broctl.cfg
>
> Mark
>
> On Fri, Apr 27, 2018 at 9:59 AM Seong Hyeok Seo <pulgrims at gmail.com>
> wrote:
>
>> Yes, I will do that.
>>
>> On Fri, 27 Apr 2018 at 11:54 PM Vlad Grigorescu <vlad at es.net> wrote:
>>
>>> Would you mind also sending your reply to the bro mailing list? That way
>>> other people can also help you, and it will provide information to anyone
>>> else that might run into this same issue in the future. Thanks.
>>>
>>> On Fri, Apr 27, 2018 at 2:49 PM, Seong Hyeok Seo <pulgrims at gmail.com>
>>> wrote:
>>>
>>>> we’re working on 2 machines. we set one worker on a single server and a
>>>> manager and a proxy on the other one.
>>>> and actually we emailed to a pfring developer and they replied this...
>>>> “it seems that Bro is not setting up a pf_ring cluster to distribute
>>>> the traffic across the instances (it should call pfring_set_cluster),
>>>> please write to the Bro mailing list as we are not maintaining that
>>>> code sorry.”
>>>>
>>>>
>>>> On Fri, 27 Apr 2018 at 11:33 PM Vlad Grigorescu <vlad at es.net> wrote:
>>>>
>>>>> Could you provide a bit more detail about your setup? Are the workers
>>>>> all running on a single server, or are they distributed across multiple
>>>>> servers?
>>>>>
>>>>> What I'm trying to determine is at what point the duplication is
>>>>> happening.
>>>>>
>>>>> On Fri, Apr 27, 2018 at 9:47 AM, Seong Hyeok Seo <pulgrims at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi, we're doing a job that collecting traffic by using Bro and PF_RING
>>>>>> , but  we found that each Bro worker got the same full traffic
>>>>>> stream.
>>>>>> We think the packet is duplicated as much as the process number that
>>>>>> we set in a config file(bro/etc/node.cfg)
>>>>>>
>>>>>> These are OS, Bro, PF_RING Ver. that we're using.
>>>>>>
>>>>>>
>>>>>> OS: CentOS 7.4.1708 (Core)
>>>>>> Bro: 2.5.3
>>>>>> PF RING: 7.1.0-1859
>>>>>>
>>>>>> we installed those things, referring this page, https://www.bro.org/
>>>>>> documentation/load-balancing.html
>>>>>> and node.cfg is like this
>>>>>> ------------------------------------------
>>>>>>
>>>>>> [manager]
>>>>>> type=manager
>>>>>> host=X.X.X.X
>>>>>>
>>>>>> [proxy-1]
>>>>>> type=proxy
>>>>>> host=X.X.X.X
>>>>>>
>>>>>> [worker-1]
>>>>>> type=worker
>>>>>> host=X.X.X.X
>>>>>> interface=eth0
>>>>>> lb_method=pf_ring
>>>>>> lb_procs=8
>>>>>> --------------------------------------------------
>>>>>>
>>>>>> please, help us to fix this and thank you in advance.
>>>>>>
>>>>>> Sincerely,
>>>>>> Seonghyoek
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>>
>>>>>
>>>>>
>>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Mark Buchanan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180430/05c140e9/attachment.html 


More information about the Bro mailing list