Here is a brief overview of how to configure load balancing.
PF_RING
PF_RING allows speeding up the packet capture process by installing a new type of socket in Linux systems. It supports 10Gbit hardware packet filtering using standard network adapters, and user-space DNA (Direct NIC Access) for fast packet capture/transmission.
Installing PF_RING
Download and install PF_RING for your system following the instructions here. The following commands will install the latest version of the PF_RING libraries and kernel module:
cd /usr/src tar xvzf PF_RING-6.2.0.tar.gz cd PF_RING-6.2.0/userland/lib ./configure --prefix=/opt/pfring make install cd ../libpcap ./configure --prefix=/opt/pfring make install cd ../tcpdump-4.1.1 ./configure --prefix=/opt/pfring make install cd ../../kernel make make install modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
Refer to the documentation for your Linux distribution on how to load the pf_ring module at boot time.
Download Zeek from zeek.org
Configure and install Zeek using the following commands:
./configure --with-pcap=/opt/pfring make make install
Make sure to install all PF_RING library files on your worker nodes.
Make sure Zeek is correctly linked to the required libpcap libraries:
ldd /usr/local/bro/bin/bro | grep pcap libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fa6d7d24000)
Using PF_RING
In Zeek’s node configuration file, node.cfg, define the lb_method for your workers. Also, use lb_procs to specify how many processes you’d like to run, and optionally pin those processes to certain cores with the pin_cpus option. The correct pin_cpus setting to use is dependent on your CPU architecture. Intel and AMD systems enumerate processors in different ways. Using the wrong pin_cpus setting can cause poor performance.
[worker-1] type=worker host=10.0.0.50 interface=eth0 lb_method=pf_ring lb_procs=10 pin_cpus=2,3,4,5,6,7,8,9,10,11
Using PF_RING+DNA with symmetric RSS
You must have a PF_RING+DNA license in order to do this. You can sniff each packet only once.
- Load the DNA NIC driver (i.e. ixgbe) on each worker host.
- Run "ethtool -L dna0 combined 10" (this will establish 10 RSS queues on your NIC) on each worker host. You must make sure that you set the number of RSS queues to the same as the number you specify for the lb_procs option in the node.cfg file.
- On the manager, configure your worker(s) in node.cfg:
[worker-1] type=worker host=10.0.0.50 interface=dna0 lb_method=pf_ring lb_procs=10
Using PF_RING+DNA with pfdnacluster_master
You must have a PF_RING+DNA license and a libzero license in order to do this. You can load balance between multiple applications and sniff the same packets multiple times with different tools.
- Load the DNA NIC driver (i.e. ixgbe) on each worker host.
- Run "ethtool -L dna0 1" (this will establish 1 RSS queues on your NIC) on each worker host.
- Run the pfdnacluster_master command on each worker host. For example: "pfdnacluster_master -c 21 -i dna0 -n 10". Make sure that your cluster ID (21 in this example) matches the interface name you specify in the node.cfg file. Also make sure that the number of processes you’re balancing across (10 in this example) matches the lb_procs option in the node.cfg file. If you are load balancing to other processes, you can use the pfringdnafirstappinstance variable in broctl to set the first application instance that Zeek should use. For example, if you are running pfdnacluster_master with "-n 4,10" you would set pfringdnafirstappinstance=4. Unfortunately that’s still a global setting in broctl.cfg at the moment but we may change that to something you can set in node.cfg eventually.
- On the manager, configure your worker(s) in node.cfg:
[worker-1] type=worker host=10.0.0.50 interface=dnacluster:21 lb_method=pf_ring lb_procs=10
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
