[Bro] BRO with PF_Ring multiplies log records
Mark Buchanan
mabuchan at gmail.com
Fri Aug 10 16:19:53 PDT 2018
If you have a p2p2 interface, does that mean that card is a Myricom card?
Have you loaded any of the SNF (Sniffer 10g+ drivers up)? I'm very
familiar with those, but I've observed that to be the interface on
occaisions. If so, I'm not sure how PF_RING, Myrcom/SNF and Bro play
together.
Mark
On Fri, Aug 10, 2018 at 10:16 AM Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Aug 10, 2018, at 7:44 AM, Yasha Levin <ee-berry at yandex.ru> wrote:
> >
> > Mark, thanks for your response
> >
> > I've tried setting PFRINGClusterID as you advised. Unfortunately that
> hasn't changed anything - I still see that each event is multiplied by
> number of processes (x4 in my case). So each flow hits all the processes,
> with no actual balancing between them.
> >
> > Anything else I could check?
>
> Can you confirm that
>
> broctl config | grep pfring
>
> outputs something like
>
> pfringclusterid = 21
> pfringclustertype = 4-tuple
>
> There was a problem with this configuration the bro-pf_ring plugin, but I
> got that fixed last September.
> Did you install the plugin recently?
>
>
> —
> Justin Azoff
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180810/5b523775/attachment.html
More information about the Bro
mailing list