Bro node.cfg not setting Myricom Sniffer10G environment variables

Chiaverini_Christian · June 20, 2017, 1:27pm

It seems that bro 2.5.1 is not taking the SNF_DATARING_SIZE variable, no matter what I set it to.

When at the defaults in the /etc/bro/node.cfg and with nothing set at the shell, it still reports it is set via “userset” instead of “default” like SNF_DESCRING_SIZE.

Here is the defaults:

Nothing at shell
#env | grep SNF

Azoff_Justin_S · June 20, 2017, 1:46pm

Can you do this quick test using tcpdump to verify the problem is with bro/broctl or something with the myricom driver/library?

SNF_APP_ID=10 SNF_FLAGS=0x1 SNF_NUM_RINGS=8 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296 SNF_DESCRING_SIZE=1073741824 tcpdump -n -i snf0 -c 1

When I run that I get

23681 snf.0.-1 P (userset) SNF_PORTNUM = 0
23681 snf.0.-1 P (default) SNF_RING_ID = -1 (0xffffffff)
23681 snf.0.-1 P (environ) SNF_NUM_RINGS = 8 (0x8)
23681 snf.0.-1 P (default) SNF_RSS_FLAGS = 49 (0x31)
23681 snf.0.-1 P (environ) SNF_DATARING_SIZE = 4294967296 (0x100000000) (4096.0 MiB)
23681 snf.0.-1 P (environ) SNF_DESCRING_SIZE = 1073741824 (0x40000000) (1024.0 MiB)
23681 snf.0.-1 P (userset) SNF_FLAGS = 1 (0x1)
23681 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3)
23681 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr
23681 snf.0.-1 P (environ) SNF_APP_ID = 10 (0xa)

Alejandro_Carreno · June 20, 2017, 2:09pm

I noticed this behavior as well a while back after upgrading SNF from 3.0.10 to 3.0.11. Downgrading back to 3.0.10 would return the ring sizes to the expected values.

-Alex

Chiaverini_Christian · June 20, 2017, 3:00pm

Justin,

Looks like it was able to set it successfully at the shell (disregard the last line, I did not change the APP_ID from running process):

SNF_APP_ID=10 SNF_FLAGS=0x1 SNF_NUM_RINGS=8 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296 SNF_DESCRING_SIZE=1073741824 tcpdump -n -i snf0 -c 1

61474 snf.0.-1 P (userset) SNF_PORTNUM = 0
61474 snf.0.-1 P (default) SNF_RING_ID = -1 (0xffffffff)
61474 snf.0.-1 P (environ) SNF_NUM_RINGS = 8 (0x8)
61474 snf.0.-1 P (default) SNF_RSS_FLAGS = 49 (0x31)
61474 snf.0.-1 P (environ) SNF_DATARING_SIZE = 4294967296 (0x100000000) (4096.0 MiB)
61474 snf.0.-1 P (environ) SNF_DESCRING_SIZE = 1073741824 (0x40000000) (1024.0 MiB)
61474 snf.0.-1 P (userset) SNF_FLAGS = 1 (0x1)
61474 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3)
61474 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr
61474 snf.0.-1 P (environ) SNF_APP_ID = 10 (0xa)
61474 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2 QSTATS=0x4 TIMESYNC=0x8 IOCTL=0x10 QEVENTS=0x20 ARISTA=0x40
61474 snf.0.-1 P lib version=3.0.11.50818 build=snf-3.0.11.50818_07ecd3440 03/16/17_08:43 07ecd3440
61474 snf.0.-1 P kernel version=3.0.11.50818 build=snf-3.0.11.50818_07ecd3440 03/16/17_08:43 07ecd3440
61474 snf.0.-1 P pqstate [ 0x7fabade7e000… 0x7fabade80000) size 8 KiB 8192 (0x2000)
61474 snf.0.-1 P desc_ring [ 0x7fab9c824000… 0x7fabac824000) size 256 MiB 268435456 (0x10000000)
61474 snf.0.-1 P data_ring [ 0x7fab94c14000… 0x7fab9c824000) size 124 MiB 130088960 (0x7c10000)
61474 snf.0.-1 P pq_init: desc[seq=216,ev_idx=222869,cnt=105364809365]
tcpdump: snf_ring_open_id(ring=-1) failed: Device or resource busy

Chiaverini_Christian · June 20, 2017, 3:01pm

I have a support case open with them in parallel. I will report this to them too. Maybe we’ll get a fix in next minor release.

Chiaverini_Christian · June 21, 2017, 10:31pm

Alex,

Thank you for this. I confirmed on my end too… rolled back to 3.0.10 and it worked. I will let you know what Myricom comes up with, if they will fix in next release.

Aashish_Sharma1 · June 21, 2017, 11:59pm

Doh! I just upgraded the myricom drivers to 3.0.11 today only

Aashish

Chiaverini_Christian · June 22, 2017, 9:23pm

Rollback!!!!

Myricom opened an internal ticket on their end so hopefully we will see a bugfix soon.

Regards,

Chris Chiaverini
Cyber Security Operations
Brookhaven National Laboratory
Upton, New York 11973

seth · June 24, 2017, 1:23am

You could also try the bro-myricom plugin from the Bro package
repository. If you have bro-pkg set up, you should be able to do
this...

bro-pkg refresh
bro-pkg install sethhall/bro-myricom

There is documentation on how to use it here:
GitHub - sethhall/bro-myricom: Bro plugin to receive packets through the Myricom Sniffer API

You only configure the data ring size in it. For some reason they
don't expose the desc ring size option through their native SNF api,
only the data ring size. I'm going to go out on a limb here and guess
that you may be experiencing weird behavior because they probably want
to get rid of the desc ring size option. It makes more sense if they
just auto adjust that based on the chosen data ring size.

.Seth

Edgmand_Craig · June 26, 2017, 2:12pm

Does this only impact Bro 2.5.1?

Alejandro_Carreno · June 26, 2017, 2:41pm

Negative, noticed in 2.5 when 3.0.11 was released.

-Alex

Topic		Replies	Views
Myricom and Bro Zeek	1	70	May 6, 2022
Myricom help Zeek	4	63	May 6, 2022
[security-onion] Bro and Myricom Zeek	1	83	May 6, 2022
Trying to get Bro to share Myricom cards with tcpdump or Snort Zeek	6	88	May 6, 2022
myricom SNFv3 / kernel upgrade CentOS 7 Zeek	2	65	May 6, 2022

Bro node.cfg not setting Myricom Sniffer10G environment variables

SNF_APP_ID=10 SNF_FLAGS=0x1 SNF_NUM_RINGS=8 SNF_DEBUG_MASK=3 SNF_DATARING_SIZE=4294967296 SNF_DESCRING_SIZE=1073741824 tcpdump -n -i snf0 -c 1

Related topics