[Bro] BRO with PF_Ring multiplies log records
Mark Buchanan
mabuchan at gmail.com
Thu Aug 9 11:44:00 PDT 2018
>From of one of Justin's posts a while back (as I have struggled with this
numerous times) - this may or may not be the issue, but putting it out
there if it is as it has the same symptoms.
[root at bro-dev ~]# broctl config | grep pfring
pfringclusterid = 21
pfringclustertype = 4-tuple
ringfirstappinstance = 0
if you have pfringclusterid set to 0, that's the problem that was just
fixed. You can easily workaround that by adding
PFRINGClusterID = 21
to your /usr/local/bro/etc/broctl.cfg
Mark
On Thu, Aug 9, 2018 at 13:39 Yasha Levin <ee-berry at yandex.ru> wrote:
> Hello BRO community,
>
> Need a bit of a help with pf_ring load balancing
>
> I have the following setup:
>
> - One server with one 10G interface
> - bro 2.5.4 compiled and installed with pf_ring support
> - latest pf_ring installed
> - I want multiple bro processes to capture the traffic with pf_ring
> balancing
>
> node.cfg is below:
>
> [logger]
> type=logger
> host=localhost
>
> [manager]
> type=manager
> host=localhost
>
> [proxy-1]
> type=proxy
> host=localhost
>
> [worker-1]
> type=worker
> host=localhost
> interface=pf_ring::p2p2
> lb_method=pf_ring
> lb_procs=4
>
> Now when I run such config on the test traffic, it looks like *each* bro
> process receives *all* the traffic, with no flow balancing between
> processes. For example, each http request in my pcap file is recorded 4
> times in http.log (and I run 4 processes). When I put lb_procs=1 everything
> is fine again.
>
> What am I doing wrong with this balancing?
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180809/b8d923d0/attachment.html
More information about the Bro
mailing list