PF_RING ZC Config

Would anyone happen to have documentation for configuring ZC and Bro? I have NTop’s PF_RING and ixgbe driver packages installed, the proper license in /etc/pf_ring, and have compiled Bro with the NTop libraries but I’m seeing the kernel error below along with a ton of “split routing” messages in weird.conf, so I suspect the flows aren’t being load balanced correctly.

Jun 22 15:10:03 win-csignsm-01 kernel: [11060.244524] [PF_RING] Unable to activate two or more ZC sockets on the same interface eth6/link direction

The monitored NIC is an Intel X520-LR1.

Contents of /etc/pf_ring/zc/ixgbe/ixgbe.conf:
RSS=10 allow_unsupported_sfp=0

Contents of /etc/pf_ring/hugepages.conf
node=1 hugepages=1024

And Bro is configured as:
[MID_INT]
type=worker
host=10.20.30.123
interface=zc:eth6
lb_method=pf_ring
lb_procs=10
pin_cpus=10,11,12,13,14,15,16,17,18,19

Thanks!
-Dave

Just wanted to update the list that I quit spending cycles on this and for the time being reverted back to running our clusters with the non-commercial version of pf_ring.

I can only comment on my experience, but I discovered there is an extreme lack of quality documentation and the “commercial support” that came with the 10 licenses was nearly non-existent.

Lessons have been learned and when the need to expand comes we’ll be looking at other commercial solutions to replace our X520’s with.

-Dave

Hi Dave
how did you ask support? I do not see any related issue in our ticketing system nor in email threads.

Alfredo

Related to Dave’s query, but not really an answer, sorry Dave…

It might be worth revisiting this doc and updating for ZC:

https://www.bro.org/documentation/load-balancing.html

A few things have changed on the PF_RING DNA side in broctl in regards to naming support “dnacl” instead of “dnacluster” due to problems with name length for dnaclusters with greater than 10 queues, and with the most recent releases of PF_RING (6.4+), DNA appears to have been removed finally in favor of the newer ZC according to the change notes. From what I recall reading I don’t believe it is terribly different outside of substituting ZC drivers (and tweaking huge-pages in the driver load script) in favor of DNA, and using zbalance_ipc instead of pfdnacluster_master. I want to say the naming in node.cfg becomes zc: instead of dnacl:.

Also, speaking of ZC, NTOP has a blog post that might be worth taking a look at concerning alternate ways of implementing ZC / zbalance_ipc with bro to work around a problem that can occur when bro workers crash and get automatically restarted.

http://www.ntop.org/pf_ring/best-practices-for-using-bro_ids-with-pf_ring-zc-reliably/

I haven’t quite made the transition to ZC from DNA yet, otherwise I’d take a stab at submitting updated docs and trying to assist more here. I have plans to make the switch later this summer though.

~Gary

Could you create a ticket for this in the tracker?

https://bro-tracker.atlassian.net/browse/BIT-1642

Thanks. I don’t want to forget to come back to this.

Hi guys
I drafted a REAME based on PF_RING ZC at https://github.com/ntop/PF_RING/blob/dev/doc/README.bro
feel free to edit it (sending pull requests).

Thank you
Alfredo

Looks like there is a mistake on line 64 of the README. The
text "-g 9" should probably be "-g 8".