This plugin provides native Endace DAG packet capture card support for Bro.
Ensure you have latest Bro release and bro-pkg installed. Install the latest DAG software package and then run:
bro-pkg autoconfig bro-pkg install endace/bro-dag
Follow the DAG installation instructions to get its kernel module, drivers and userspace libraries installed, then use the following commands to configure and build the plugin.
After building bro from the sources, change to the "bro-dag" directory and run:
./configure --bro-dist=<path to bro sources> make && sudo make install
If everything built and installed correctly, you should see this:
bro -N Endace::DAG Endace::DAG - Packet acquisition via Endace DAG capture cards (dynamic, version 0.3)
Optionally, add the bro user to the dag group (DAG 5.7.1 or newer):
usermod -a -G dag bro
Once installed, you can use DAG card streams by prefixing them
`endace::` on the command line. For example, to capture from
DAG card 1:
bro -i endace::dag1
To capture from DAG card 1, stream 2:
bro -i endace::dag1:2
This plugin does not configure hardware load balancing on the DAG card. Use the DAG software tools to configure the card before use. For example to configure 2-tuple (src/dst IP) load balancing for 8 worker processes:
dagconfig -d1 hash_tuple=2 hash_bins=8
To use bro-dag in production with multiple Bro processes, use a configuration similar to this in node.cfg (e.g. /usr/local/bro/etc/node.cfg):
[worker-1] type=worker host=localhost interface=endace::dag1 lb_method=custom lb_procs=8 ## Optionally pin worker threads #pin_cpus=0,1,2,3,4,5,6,7
Where lb_procs is the number of processes for load balancing. Current DAG card models support up to 32 streams/procs for load balancing in hardware, as well as hardware packet filtering and flexible steering of up to 4 capture ports/interfaces to streams (see DAG documentation).
To use with multiple DAG cards, add multiple worker stanzas as above.
Now start the BroControl shell:
And start the Bro instances:
[BroControl] > deploy
Basic binary-only packages can be generated as follows if you have rpmbuild and/or Debian build tools installed. Distributing these packages outside a closed environment is not recommended, as bro package installation locations vary.
./configure --bro-dist=<path to bro sources after building> cd build/ make package
Packages add the bro user to the dag group if it exists.
From a completely clean (i.e. no untracked files) git checkout:
./configure --bro-dist=<path to bro sources> cd build/ make package_sources