[Bro] Bro and PF_Ring

Azoff, Justin S jazoff at illinois.edu
Mon Jul 18 13:02:39 PDT 2016

> On Jul 18, 2016, at 5:43 PM, Obndnar smith <obdnanr at gmail.com> wrote:
> I've followed the steps to get Bro to use pf_ring and it even shows that it's using the pf_ring/lib, but as soon as I install from my manager it reverts back to libpcap.  Any ideas?

It sounds like you are building and installing bro on the worker nodes a well as on the manager nodes.  You only need to install bro on the manager node.  broctl copies the bro installation to each worker node for you.

The process for using pf_ring on a bro cluster would be:

1) install pf_ring kernel module and libraries on each worker
2) install pf_ring libraries on the manager - You can install the kernel modules if you wanted to, but nothing will use them. 
3) install bro on the manager

If you are missing the pf_ring libraries on the manager that will cause the manager binary to not be linked against pf_ring.

- Justin Azoff

More information about the Bro mailing list