Quick pf_ring question

Zeek
1

Hey all!

So...where/how does one utilize pf_ring via command-line/local.bro? I'm not having much luck finding the info...thanks for any help.

James

2

Any takers on this? I've got my ldd for this looking good and really wanting to test this...is broctrl my only option for use with pf_ring? Thanks all...appreciate the help.

James

3

Comparison of running bro linked to system libpcap to bro links to pf_ring via command line:

sudo bro --no-checksums -i eth0 local "Site::local_nets += { 192.168.1.0/24 }"

system libpcap: libpcap.so.0.8 => /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f3221f6c000)

top - 10:43:19 up 20:36, 2 users, load average: 0.42, 0.17, 0.29
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.8 us, 27.6 sy, 0.0 ni, 65.2 id, 0.0 wa, 0.4 hi, 0.0 si, 0.0 st
KiB Mem: 3082108 total, 2808360 used, 273748 free, 94848 buffers
KiB Swap: 3002364 total, 1112 used, 3001252 free. 2310580 cached Mem

   PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
  2801 root 20 0 522304 55964 7500 S 27.5 1.8 0:11.61 bro

pf_ring: libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fe6c42b5000)

top - 10:54:13 up 20:47, 2 users, load average: 0.05, 0.10, 0.21
Tasks: 99 total, 2 running, 97 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.1 us, 26.9 sy, 0.0 ni, 67.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 3082108 total, 2992864 used, 89244 free, 75388 buffers
KiB Swap: 3002364 total, 1568 used, 3000796 free. 1996052 cached Mem

   PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
  5580 root 20 0 899404 576276 529768 R 29.5 18.7 0:24.32 bro

This is on a low usage link with like...one active connection (my ssh session). Memory is higher and CPU just a smidgeon, so I'm guessing something is working. Thought I'd fire this out for anyone thinking of moving to pf_ring.

James

4

You could take a look at the pf_ring plugin in BroControl. There are some special environment variables that need to be set.

The main one you probably are concerned with is: PCAP_PF_RING_CLUSTER_ID. Set this to some numeric value and use the same value for each worker you are running and the traffic should be balanced across all of your processes.

You should also probably set the PCAP_PF_RING_USE_CLUSTER_PER_FLOW to 1 as well.

Since you're running Bro manually, it might look like this:

PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1 PCAP_PF_RING_CLUSTER_ID=21 bro <your args>

  .Seth

5

That's awesome...thanks for the info Seth.

James