[Bro] Bro 2.0 packets dropped

Martin Holste mcholste at gmail.com
Fri Feb 10 13:42:43 PST 2012

What do you see in /proc/net/pf_ring/ ?  If you cat a file matching
the PID of one of the Bro processes, it should say what the cluster_id
is.  If they are all 21, then it is working.

On Fri, Feb 10, 2012 at 9:46 AM, Machiel van Veen <mvv at sentia.nl> wrote:
> On Friday 10 February 2012 16:26:48 Seth Hall wrote:
>> It looks like you are missing the setting that turns on the pf_ring
>>  clustering support.  If you built against the pf_ring libpcap wrapper it
>>  should have been put in there automatically (unless you installed over top
>>  of a previous installation?).
>> Add this to your broctl.cfg and do "check", "install", "restart" in broctl.
>> PFRingClusterId = 21
>>   .Seth
> I've added the option, there is no difference. I did notice in the debug logs
> before that this option has been set by default. At startup i see the
> following for all workers, proxy and manager:
> The bro binary does seem to use the correct lib:
> $ ldd /opt/bro/bin/bro | grep pcap
> libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fae5cad2000)
> I'll go ahead and do this again on monday, perhaps I did make a mistake during
> the build process.
> Thanks, Machiel.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list