So before I upgrade (pf_ring revisit)

Zeek
1

As I recall last time around, there was a pf_ring vs. bro pf_ring plugin thread going on a while ago. I thought I’d revisit this since I’m going from 2.5.0 to 2.5.1. So…here’s what I have:

https://www.bro.org/documentation/load-balancing.html
I believe the above is complete yes? The only question I would have answered here is what options to pass via command line.

https://www.bro.org/sphinx/components/bro-plugins/pf_ring/README.html
So THIS link is for using the plugin…this has info about starting command line, but not via node.cfg. I’m assuming I could use:

pf_ring::eth0

instead of interface?  Or do I just use what's in the load-balancing link?  Additionally, what's the benefit of using one over the other method?  Thank you.

James
2

Sorry for the delay in answering!

pf_ring::eth0

instead of interface? Or do I just use what's in the load-balancing
link? Additionally, what's the benefit of using one over the other
method? Thank you.

I think you may want to use whats in the load-balancing link (the libpcap wrapper approach).

I'm not sure of the state of the pf_ring plugin, especially since we removed everything in the bro-plugins repository. Robin emailed package maintainers there to try and get them to create Bro packages and I'm not sure the pf_ring one was moved over. The other problem is that the pf_ring plugin didn't/doesn't have a broctl plugin so you can't change any settings (such as the app_id). I *think* that load balancing works with it though, but I'm not sure offhand how you'd configure it correctly with broctl.

   .Seth

3

Awesome...thanks Seth I'll stick with the load-balancing link for now.

James