Quick pf_ring question

James_Lay · August 21, 2014, 10:11pm

Hey all!

So...where/how does one utilize pf_ring via command-line/local.bro? I'm not having much luck finding the info...thanks for any help.

James

James_Lay · August 22, 2014, 2:17pm

Any takers on this? I've got my ldd for this looking good and really wanting to test this...is broctrl my only option for use with pf_ring? Thanks all...appreciate the help.

James

James_Lay · August 22, 2014, 5:04pm

Comparison of running bro linked to system libpcap to bro links to pf_ring via command line:

sudo bro --no-checksums -i eth0 local "Site::local_nets += { 192.168.1.0/24 }"

system libpcap: libpcap.so.0.8 => /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f3221f6c000)

top - 10:43:19 up 20:36, 2 users, load average: 0.42, 0.17, 0.29
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.8 us, 27.6 sy, 0.0 ni, 65.2 id, 0.0 wa, 0.4 hi, 0.0 si, 0.0 st
KiB Mem: 3082108 total, 2808360 used, 273748 free, 94848 buffers
KiB Swap: 3002364 total, 1112 used, 3001252 free. 2310580 cached Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2801 root 20 0 522304 55964 7500 S 27.5 1.8 0:11.61 bro

pf_ring: libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fe6c42b5000)

top - 10:54:13 up 20:47, 2 users, load average: 0.05, 0.10, 0.21
Tasks: 99 total, 2 running, 97 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.1 us, 26.9 sy, 0.0 ni, 67.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 3082108 total, 2992864 used, 89244 free, 75388 buffers
KiB Swap: 3002364 total, 1568 used, 3000796 free. 1996052 cached Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5580 root 20 0 899404 576276 529768 R 29.5 18.7 0:24.32 bro

This is on a low usage link with like...one active connection (my ssh session). Memory is higher and CPU just a smidgeon, so I'm guessing something is working. Thought I'd fire this out for anyone thinking of moving to pf_ring.

James

Seth_Hall3 · August 25, 2014, 5:35pm

You could take a look at the pf_ring plugin in BroControl. There are some special environment variables that need to be set.

The main one you probably are concerned with is: PCAP_PF_RING_CLUSTER_ID. Set this to some numeric value and use the same value for each worker you are running and the traffic should be balanced across all of your processes.

You should also probably set the PCAP_PF_RING_USE_CLUSTER_PER_FLOW to 1 as well.

Since you're running Bro manually, it might look like this:

PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1 PCAP_PF_RING_CLUSTER_ID=21 bro <your args>

.Seth

James_Lay · August 25, 2014, 5:37pm

That's awesome...thanks for the info Seth.

James

Topic		Replies	Views
So before I upgrade (pf_ring revisit) Zeek	3	64	May 6, 2022
PF_RING Help Needed Zeek	7	46	May 6, 2022
PF_Ring+DNA and Bro Zeek	3	50	May 6, 2022
PF_Ring Zeek	1	67	May 6, 2022
Bro and PF_Ring Zeek	3	71	May 6, 2022

Quick pf_ring question

Related Topics