What is the configuration needed to run bro with PF_RING using its link aggregation (multi) capability? This below (a snippet of node.cfg) doesn’t do it:
[bro-pf]
type=worker
host=X.X.X.X
interface=multi:em1;em2
lb_method=pf_ring
lb_procs=8
I found the answer. I missed the lb_interfaces option.
Wait, does lb_interfaces work with lb_method=pf_ring? My bro instance didn’t complain when I started it, but I do not believe it is actually processing packets.
would you mind posting the full working config? I’m interested in this as well.
Cheers,
JB
I'm wondering the same thing... It would make pooling resources for multi nic'd bro works a ton easier...
Has anyone done this? Can it be done?
Cheers,
JB
I'm afraid we don't have a terribly elegant method to do that with PF_Ring right now. You could use their ZC module and do the load balancing in userspace with their zbalance_ipc tool (or whatever it's called). I think that can merge traffic and distribute it out and we support sniffing from ZC load balanced interfaces.
This is yet another area where our upcoming packet-bricks tool will make life easier. I just wish it was ready for people to generally use. 
.Seth