Sorry, Seth, I didn’t send this to all and should have. Here was the email that Seth was referring to.
I’ll have to check later, but I was able to make the plugin work with some source mods, I think. I think I tested and was unable to get it to work natively using the broctl.conf changes that I sent to the list a few minutes ago.
I know there was some glitch that didn’t make it work out of the box, but I was able to modify the plugin and get it to work - just don’t have that code where I am now.
Ok - found the edits I made. Here are the diffs - however I have commented out the second (and most necessary piece of code):
diff bro-2.5*/aux/plugins/pf_ring/src/PF_RING.cc
40a41,48
char app_name[4] = “bro”;
if ( pfring_set_application_name(pd, app_name) != 0 )
{
Error(errno ? strerror(errno) : “unable to set app name”);
return;
}
48a57,68
/* Set default cluster type /
/ u_int clusterId = 1;
cluster_type cluster_hash_type = cluster_per_flow_5_tuple;
if ( pfring_set_cluster(pd, clusterId, cluster_hash_type) != 0 )
{
Error(errno ? strerror(errno) : “unable to set cluster mode”);
pfring_close(pd);
pd = NULL;
return;
}
*/
The issue related back to not having the cluster hash set and I believe it wouldn’t fire. Additionally the first snippet of code sets the app name, so when you cat /proc/net/pf_ring/.* you get “bro” out of it.
To note, I’m not a coder, so I’m happy I made it this far. There was some question if the cluster_type was necessary if you had the broctl.conf items in the the file - but I can’t remember the outcome of the test (but I believe the comment out I have of the cluster type was me testing it.
Does that help? I know I was able to get the module to work, but I think I had to include the above items to make it work. Additionally, there was some glitch that omited the PFRINGClusterID from teh broctl.conf due to a FreeBSD bug that said if PF_RING isn’t needed, don’t put that in there.
Mark