[Bro] zbalance_ipc with multiple applications and Bro

Michał Purzyński michalpurzynski1 at gmail.com
Wed Feb 11 07:14:30 PST 2015


I'm trying to start Bro and Suricata on one sensor, using the pf_ring
ZC, like this

zbalance_ipc -i eth5 -c 99 -n 4,4 -m 1

where 99 is the cluster ID and -n <num>,<num> creates separate rings
for each application. So far so good.

I should tell Bro to somehow bind to the zc:99 at 4, zc:99 at 5, zc:99 at 6,
zc:99 at 7 interfaces. How can I do it?

Using zc:99 at 4 (AKA base, and let it increment automatically) does not work

fatal error: /opt/bro/bin/bro: problem with interface zc:99 at 4 -
pcap_open_live: zc:99 at 4: No such device exists (SIOCGIFHWADDR: No such

Same for just zc:99 and not a surprise, Bro somehow needs to open
sub-interfaces 4-7.

Is it even supported?

More information about the Bro mailing list