So, having built bro with the pf_ring plugin and pf_ring (libpcap pfring), I have found that the plugin does not seem to be working as expected.
When I run
interface=$iface
lb_method=pf_ring
lb_procs=18
I get much better performace and less “weird” stuff like rapidly growing conn and weird logs.
When I use
interface=pf_ring::$iface
lb_method-=(pf_ring or custom, doesnt matter which I choose)
lb_procs=18
my conn logs go crazy. Additionally, some logs which normally grow at 1 to 2 meg a second grow at 1/10th of that. Is there something undocumented about the native pf_ring plugin that I am unaware of which would lead to this behavioral discrepency? Is this also rooted in RHEL7 kernel land issues?