[Bro] BRO with PF_Ring multiplies log records

Pearson, Carl (cpearson@uidaho.edu) cpearson at uidaho.edu
Tue Aug 14 08:02:57 PDT 2018 

Yasha,

You’ve probably already checked but are Bro and pf_ring communicating with each other? If you execute the following command (while Bro is running)…

cat /proc/net/pf_ring/info

…what is the value in the “Total rings” field? My understanding is this is the number of processes utilizing pf_ring, it should be 4 if you have 4 Bro processes, I believe. We had the pfringclusterid=0 issue and that is how we found it.  Pf_ring was loaded but the total rings were 0, even though Bro was running and should have been utilizing pf_ring.

Output of cat /proc/net/pf_ring/info on our Bro host:
PF_RING Version          : 7.2.0 ( 7.2.0-stable:1fb19fb55a8c6e6525899c938a9f90be9dac7a64)
Total rings              : 30

Standard (non ZC) Options
Ring slots               : 32768
Slot version             : 17
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Cluster Fragment Queue   : 52
Cluster Fragment Discard : 0


Sounds like your issue might be something else, but thought I’d throw this out there just in case. :)

Thanks,
Carl



From: bro-bounces at bro.org <bro-bounces at bro.org> On Behalf Of Yasha Levin
Sent: Monday, August 13, 2018 06:11
To: Mark Buchanan <mabuchan at gmail.com>; Azoff, Justin S <jazoff at illinois.edu>
Cc: bro <bro at bro.org>
Subject: Re: [Bro] BRO with PF_Ring multiplies log records

Mark,

The card is Intel X520 10G. Standard ixgbe drivers are loaded

Justin, I confirm that pfringclusterid setting correctly applied:

# /opt/bro/bin/broctl config | grep pfring
pfringclusterid = 21
pfringclustertype = 4-tuple
pfringfirstappinstance = 0

Still same problem. Will try bro+pf_ring on another server, will see if the problem will reproduce itself


11.08.2018, 02:20, "Mark Buchanan" <mabuchan at gmail.com<mailto:mabuchan at gmail.com>>:
If you have a p2p2 interface, does that mean that card is a Myricom card?   Have you loaded any of the SNF (Sniffer 10g+ drivers up)?   I'm very familiar with those, but I've observed that to be the interface on occaisions.   If so, I'm not sure how PF_RING, Myrcom/SNF and Bro play together.

Mark

On Fri, Aug 10, 2018 at 10:16 AM Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>> wrote:

> On Aug 10, 2018, at 7:44 AM, Yasha Levin <ee-berry at yandex.ru<mailto:ee-berry at yandex.ru>> wrote:
>
> Mark, thanks for your response
>
> I've tried setting PFRINGClusterID as you advised. Unfortunately that hasn't changed anything - I still see that each event is multiplied by number of processes (x4 in my case). So each flow hits all the processes, with no actual balancing between them.
>
> Anything else I could check?

Can you confirm that

    broctl config | grep pfring

outputs something like

pfringclusterid = 21
pfringclustertype = 4-tuple

There was a problem with this configuration the bro-pf_ring plugin, but I got that fixed last September.
Did you install the plugin recently?


—
Justin Azoff


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


--
Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180814/b3a4939d/attachment-0001.html

More information about the Bro mailing list