Hello,
I have a couple new machines to set up and I am curious if anyone has upgraded from PF_RING DNA + Libzero to PF_RING ZC for use with Bro and what your experience has been? Is it safe or preferred to upgrade to ZC or to stick with the DNA/Libzero approach at this time?
Regards,
Gary
The PF_Ring plugin in 2.3 should support ZC interfaces from the ZC traffic balancing tool they provide. One problem with it though is that the new ZC tool only support balancing the traffic to a single tool unlike the DNA load balancing tool which can load balance traffic multiple times out to different tools.
.Seth
Seth,
Thanks for the reply. I remembered you commenting on that and asked Alfredo from NTOP if it was supported yet and he indicated that you can actually do the multiple app thing now. He also mentioned that the daemon mode option isn't implemented within the new script.
For example I asked about doing something like this, but in ZC:
pfdnacluster_master -i dna0,dna1 -d -n 12,1 -c 21
Alfredo indicated I should be able to get similar results with the new script like this (excepting no built in -d mode):
zbalance_ipc -i zc:ethX,zc:ethY -n 12,1 -m 1 -c 21
That said I also seem to recall someone else on the bro list having some other issues such as with jumbo frames or missing packets, but don't know if those ever got resolved. ZC is initially tempting because you only need the one ZC license instead of separate licenses for the DNA driver and Libzero, plus not having to go back for ZC later, but that's only helpful if it is working well for people.
Regards,
Gary
Ah nice! It's been several months since I've looked at this. I think that to get this config working in Bro you should be able to use lb_method=pf_ring with interface=zc:21 (in Bro 2.3).
.Seth