I am trying to use PFRING_ZC for Bro in my security onion box. I got the license from ntop but there was little document on how to enable this.

Would appreciate any help/pointer to docs. I will compile a step-by-step instructions if I get this working.

I have the Intel 82599EB 10G card and the ixgbe-zc driver installed.

#dkms status
ixgbe-zc, 3.22.3, 3.13.0-44-generic, x86_64: installed
pf_ring, 6, 3.13.0-35-generic, x86_64: installed
pf_ring, 6, 3.13.0-44-generic, x86_64: installed (WARNING! Diff between built and installed module!)
pfring, 6.0.3, 3.13.0-44-generic, x86_64: installed

I was seeing 60% packet loss rate. After some aggressive BPF filtering, it went down to about 15%-20%.

Are you using a big box? Mine is 24 core CPU with 64GB mem. There is an email thread about Bro with 10G card and many people also see pretty significant packet loss.

We have Bro running on a 2 unit stack (4RU total) and see 17-18G of Bro steady state, peak 40-45G with few packet drops (~2%). To achieve this, we have 32 worker threads on each 2U appliance; of the remaining cores, 4 are for NIC management and the other 12 can be used for other applications. Bro is not modified at all.

