pf_ring on RHEL/CENTOS 6?

Zeek
1

I’ve set up a Bro 2.1 instance with a network tap, but keep getting notice log entries of “PacketFilter::Dropped_Packets”. I’m assuming this is because Bro is single threaded and it needs more workers to keep up with the traffic, so I’m trying to implement pf_ring to distribute the traffic across multiple workers. I’ve installed the pf_ring RPM package from ntop (http://www.nmon.net/packages/rpm/x86_64/PF_RING/) and that gets the kernel module loaded but seems to be lacking something still - probably linking libpcap to pf_ring? That’s what I’m not sure about. After installing pf_ring from the RPM package and configuring Bro for multiple workers it starts up ok but is still dropping packets (all of the workers, per the notice log) and pf_ring doesn’t appear to be used:

cat /proc/net/pf_ring/info

PF_RING Version : 5.6.2 ($Revision: 6910$)
Total rings : 0

Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

Has anyone had any success with clustered Bro with pf_ring on RHEL/CENTOS, and did you have to compile it from source and re-compile libpcap? I’d prefer to stick with the RPM packages since it tends to make updating less problematic. I installed Bro 2.1 as an RPM package as well.

Thanks,
Matt

2

In case anyone is interested, I ended up installing PF_RING from source, then rebuilding the Bro RPM with PF_RING support. It would be nice if the native libpcap and tcpdump already had support for PF_RING, but that’s not currently the case. I’d rather install everything from RPMs, but having Bro at least installed from a package should make updates a little easier. Here are the basic steps:

Install Prerequisites

  1. Add the EPEL repo to the system but leave it disabled: /etc/yum.repos.d/epel.repo
  2. Remove conflicting packages: libpcap, tcpdump, cmake.
  3. Install prerequisites: mpfr cpp ppl cloog-ppl gcc kernel-devel pcre-devel libpcap-devel yum-plugin-priorities libnet flex bison gcc-c++ swig rpm-build
  4. Install prerequisites from EPEL: libyaml libyaml-devel cmake28
  5. Create a softlink for cmake pointing to the newer version from EPEL.

Build and Install PF_RING

  1. Download the source from http://sourceforge.net/projects/ntop/files/PF_RING/
  2. Configure, make, and install the kernel module, libpcap, and tcpdump
  3. Create an /etc/modprobe.d/pfring.conf entry to load the kernel module at boot
  4. Manually load the pf_ring module for now
  5. Create an ldconfig file /etc/ld.so.conf.d/pfring.conf that contains the path to the libpcap dynamic libraries
  6. Run “ldconfig” to load the new config for now

Build the Bro RPM with PF_RING Support

  1. Download the source from http://www.bro.org/download/index.html and unpack it with a non-root user.
  2. As that non-root user, go into the bro-2.1/pkg directory and edit the check-cmake file so that the cmake check matches the version you have.
  3. As the non-root user edit the make-rpm-packages file and add the --with-pcap=/usr/local/pfring (or wherever you installed PF_RING) option to the configure lines.
  4. As the non-root user execute the make-rpm-packages script; the packages will end up in the bro-2.1/build/ directory.

Install Bro from the newly built RPM package

It’s running now with PF_RING and very few dropped packet notices.

cat /proc/net/pf_ring/info

PF_RING Version : 5.6.1 ($Revision: exported$)
Total rings : 4

Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 3464
Cluster Fragment Discard : 1036837

-matt