[Bro] huge weird.log/conn.log

erik clark philosnef at gmail.com
Thu Dec 1 10:13:14 PST 2016


Sorry this was supposed to go to the list as well:

Hmm. I see

FAIL: saw flow {tcp $ip $num $ip $num} on workers $num and $num.

This is on RHEL7 with the latest kernel. How can I address what I am
assuming is a failure of the kernel?


On Thu, Dec 1, 2016 at 12:48 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Dec 1, 2016, at 11:24 AM, erik clark <philosnef at gmail.com> wrote:
> >
> > Hmm. I note that I am actually, in a given hour, getting 25-30% less
> logs from http.log.
> >
> > Are there any guides to tuning Bro to work with af_packet?
> >
> Step 1: ensure that you can use af_packet in the first place:
>
> https://github.com/JustinAzoff/can-i-use-afpacket-fanout/
>
> It looks like your current setup is not working.
>
> --
> - Justin Azoff
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161201/1722ed9a/attachment.html 


More information about the Bro mailing list