I am trying to use PFRING_ZC for Bro in my security onion box. I got the license from ntop but there was little document on how to enable this.
Would appreciate any help/pointer to docs. I will compile a step-by-step instructions if I get this working.
I have the Intel 82599EB 10G card and the ixgbe-zc driver installed.
ixgbe-zc, 3.22.3, 3.13.0-44-generic, x86_64: installed
pf_ring, 6, 3.13.0-35-generic, x86_64: installed
pf_ring, 6, 3.13.0-44-generic, x86_64: installed (WARNING! Diff between built and installed module!)
pfring, 6.0.3, 3.13.0-44-generic, x86_64: installed
not sure what to do next and how to enable it for Bro.
I was seeing 60% packet loss rate. After some aggressive BPF filtering, it went down to about 15%-20%.
Are you using a big box? Mine is 24 core CPU with 64GB mem. There is an email thread about Bro with 10G card and many people also see pretty significant packet loss.
It would be great if you can share your configs and also your traffic throughput.
We have Bro running on a 2 unit stack (4RU total) and see 17-18G of Bro steady state, peak 40-45G with few packet drops (~2%). To achieve this, we have 32 worker threads on each 2U appliance; of the remaining cores, 4 are for NIC management and the other 12 can be used for other applications. Bro is not modified at all.
If you (or anyone else) would like to discuss further, please feel free to send me a private email.