Hi all,
I'm running a clustered Bro instance with workers capturing traffic on
three PF_RING enabled e1000e interfaces.
While looking in /proc/net/pf_ring/ I noticed that all of my Bro
workers belong to cluster id 21. Is it possible (or desirable) in Bro
to create a PF_RING cluster id per capture interface?
I read that PF_RING allows a maximum of eight workers per cluster id,
is this still true?
Best,
Bob
Correct on the max of 8 workers:
kernel/linux/pf_ring.h:#define CLUSTER_LEN 8
You can up that to something higher and recompile the kernel module if
you have more cores.
It is not necessary for PF_RING to use different cluster id per capture interface.
You can increase the the number of works per cluster id by changing CLUSTER_LEN linux/pf_ring.h from 8 to 16 or 32.
There seems other limitation in the number of works on host in bro whne you gove above 8 works on a hosts.
Bill Jones
The CLUSTER_LEN depends on what version of PF_RING you use. The latest development build is set to 32.
You can set the cluster ID in the broctl.conf file but I’m not sure how that works when more than one PF_RING interface is being used. If it makes sense then maybe leveraging the load balancing configuration and having something like “lb_ring_id” ?