[Bro] Troubleshooting crashes

Tritium Cat tritium.cat at gmail.com
Mon Sep 17 18:34:07 PDT 2012


On Tue, Sep 18, 2012 at 1:10 AM, Seth Hall <seth at icir.org> wrote:

>
> On Sep 17, 2012, at 8:18 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
>
> > I think the fix should be as easy as including another PF_RING
> environment variable when starting bro.
>
> Oh!  I didn't realize this was settable through an environment variable
> when using their libpcap wrappers.  Do you happen to know the variable?
>  That's something we definitely need to be setting, almost everyone with
> VLAN tagged traffic has trouble with the default PF_RING setting.


I checked and bro already has the right env variables.

>From lib/broctl/plugins/lb_pf_ring.py:
23:                if BroControl.config.Config.pfringclusterid != "0":
24:                    nn.env_vars +=
["PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1"]
25:                    nn.env_vars += ["PCAP_PF_RING_CLUSTER_ID=%s" %
BroControl.config.Config.pfringclusterid]

The problem is the changes this triggers inside PF_RING does not work as
expected, so I'm still working to prove that to the developer and find out
why.  For the time being I'm using a slight mod to pf_ring as a workaround.

/tc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120918/f9659313/attachment.html 


More information about the Bro mailing list