PCAP_PF_RING_CLUSTER_ID

With my 3 node cluster on FreeBSD, all the workers are started with
PCAP_PF_RING_CLUSTER_ID=21. Where is the 21 coming from? And shouldn't
we restrict this to systems that actually have PF_RING, like via a
configure check?

Robin

With my 3 node cluster on FreeBSD, all the workers are started with
PCAP_PF_RING_CLUSTER_ID=21. Where is the 21 coming from?

Heh, it's "bro" typed out on a phone number pad (276) represented as an 8bit int (wrapped around). In other words, it's a fairly arbitrary number. :slight_smile:

And shouldn't
we restrict this to systems that actually have PF_RING, like via a
configure check?

I thought about doing that, but it seemed somewhat superfluous since those environment variables will only be used if the pf_ring libpcap wrapper is used. It does seem like the right thing to do however. We could just set the default value to "0" which will cause the environment variables to not be set but it seems like just causing more effort for users without much benefit.

  .Seth

Heh, it's "bro" typed out on a phone number pad (276) represented as
an 8bit int (wrapped around). In other words, it's a fairly arbitrary
number. :slight_smile:

I see. :slight_smile: But let's then please use something like 0 or -1 to indicate
that it actually doesn't matter. Arbitrary values can be quite
confusing for the non-initiated.

I thought about doing that, but it seemed somewhat superfluous since
those environment variables will only be used if the pf_ring libpcap
wrapper is used. It does seem like the right thing to do however.

Yeah, for the same reason as above: I bet that otherwise somebody will
scratch his head at some point to understand what effect
PCAP_PF_RING_CLUSTER_ID has on his FreeBSD box.

Cc'in the tracker. Tasks are:

    - If system doesn't have PF_RING support, don't set environment
    variable.

    - If system has PF_RING support, set ID to a default that
    indicates "not set".

@component: BroControl
@version: git/master
@type: Task
@milestone: Bro1.6
@keywords: beta

But a cluster_id of 0 indicates the cluster is not being used, which
it is, so it must be a positive integer. To keep it as simple as
possible, I guess I'd go with 1, but since there may be other clusters
running on the same system, there is value in picking a pseudo-random
number like 21, as 1 is probably more common for someone to choose for
the reason above. 21 has some "Bro" meaning. For instance, a system
with Suricata will use cluster_id 99 by default. Also, I would argue
that if you've installed PF_RING, you are "initiated," at least to
some extent. I say this because you have to go out of your way to
install it--it's not in any standard Linux distro.

Ah, I see. I misread "fairly arbitrary" as "doesn't matter", but I
think I got it now. Ok, then let's stay with 21.

Robin