As I recall last time around, there was a pf_ring vs. bro pf_ring plugin thread going on a while ago. I thought I’d revisit this since I’m going from 2.5.0 to 2.5.1. So…here’s what I have:
https://www.bro.org/documentation/load-balancing.html
I believe the above is complete yes? The only question I would have answered here is what options to pass via command line.
https://www.bro.org/sphinx/components/bro-plugins/pf_ring/README.html
So THIS link is for using the plugin…this has info about starting command line, but not via node.cfg. I’m assuming I could use:
pf_ring::eth0
instead of interface? Or do I just use what's in the load-balancing link? Additionally, what's the benefit of using one over the other method? Thank you.
James
Sorry for the delay in answering!
pf_ring::eth0
instead of interface? Or do I just use what's in the load-balancing
link? Additionally, what's the benefit of using one over the other
method? Thank you.
I think you may want to use whats in the load-balancing link (the libpcap wrapper approach).
I'm not sure of the state of the pf_ring plugin, especially since we removed everything in the bro-plugins repository. Robin emailed package maintainers there to try and get them to create Bro packages and I'm not sure the pf_ring one was moved over. The other problem is that the pf_ring plugin didn't/doesn't have a broctl plugin so you can't change any settings (such as the app_id). I *think* that load balancing works with it though, but I'm not sure offhand how you'd configure it correctly with broctl.
.Seth
Awesome...thanks Seth I'll stick with the load-balancing link for now.
James