Sorry, Seth, I didn't send this to all and should have. Here was the email
that Seth was referring to.
I'll have to check later, but I was able to make the plugin work with some
source mods, I think. I think I tested and was unable to get it to work
natively using the broctl.conf changes that I sent to the list a few
I know there was some glitch that didn't make it work out of the box, but I
was able to modify the plugin and get it to work - just don't have that
code where I am now.
Ok - found the edits I made. Here are the diffs - however I have commented
out the second (and most necessary piece of code):
char app_name = "bro";
if ( pfring_set_application_name(pd, app_name) != 0 )
Error(errno ? strerror(errno) : "unable to set app name");
/* Set default cluster type */
/* u_int clusterId = 1;
cluster_type cluster_hash_type = cluster_per_flow_5_tuple;
if ( pfring_set_cluster(pd, clusterId, cluster_hash_type) != 0 )
Error(errno ? strerror(errno) : "unable to set cluster
pd = NULL;
The issue related back to not having the cluster hash set and I believe it
wouldn't fire. Additionally the first snippet of code sets the app name,
so when you cat /proc/net/pf_ring/<pid>.* you get "bro" out of it.
To note, I'm not a coder, so I'm happy I made it this far. There was some
question if the cluster_type was necessary if you had the broctl.conf items
in the the file - but I can't remember the outcome of the test (but I
believe the comment out I have of the cluster type was me testing it.
Does that help? I know I was able to get the module to work, but I think I
had to include the above items to make it work. Additionally, there was
some glitch that omited the PFRINGClusterID from teh broctl.conf due to a
FreeBSD bug that said if PF_RING isn't needed, don't put that in there.
On Tue, Feb 28, 2017 at 8:17 AM, Seth Hall <seth(a)icir.org> wrote:
On Feb 27, 2017, at 5:54 PM, fatema bannatwala
When I configured and installed bro from source, I did:
$./configure --prefix=/usr/local/bro/2.5 --with-pcap=/usr/local/pfring/
Yep, you are using the libpcap wrapper here, which is currently the only
way to do clustered load balancing with PF_Ring unless you do that tiny
change that Mark pointed out a minute ago. To get that more tightly
integrated and configurable with broctl would take a bit more work, but as
a hack that tiny change would work.
You can tell in your node.cfg if you are using the libpcap wrapper or the
plugin by the interface name. If you have use an interface name like:
pf_ring::eth1, then you are using the plugin and load balancing won't
work. If you are just using an interface name like eth1 and
lb_method=pf_ring, then you will be using the libpcap wrapper.
When the pf_ring developers contributed the pf_ring plugin, it seems that
they didn't do full integration with the deployment method.
International Computer Science Institute
(Bro) because everyone has a network
Bro mailing list