[Bro] Bro crashing on start

Drake Aronhalt drakearonhalt at gmail.com
Fri Oct 14 06:30:04 PDT 2016


Thanks Johanna, the issue seemed to be pf_ring, I rolled it back to 6.0.3
and it's working fine now.

On Fri, Oct 14, 2016 at 9:18 AM, Johanna Amann <johanna at icir.org> wrote:

> Hello Drake,
>
> I am not aware of any changes that we did that should cause this kind of
> error, so I assume that the reason for this is not the updated pfring, and
> not the updated Bro.
>
> Could you check if this indeed does work with Bro 2.4.1 and the new
> pfring, or if Bro 2.4.1 and the new pfring fails in the same way and
> report back? :)
>
> Thanks,
>  Johanna
>
> On Thu, Oct 06, 2016 at 11:01:50PM -0400, Drake Aronhalt wrote:
> > All,
> >   This morning I updated bro and pfring on my dev sensor to their
> > respective git master branches and started receiving this error when I
> try
> > to start bro:
> >
> > # broctl start
> >
> > starting logger ...
> >
> > starting manager ...
> >
> > starting proxy-1 ...
> >
> > starting worker-1-1 ...
> >
> > starting worker-1-2 ...
> >
> > starting worker-1-3 ...
> >
> > starting worker-1-4 ...
> >
> > starting worker-1-5 ...
> >
> > worker-1-5 terminated immediately after starting; check output with
> "diag"
> >
> > worker-1-4 terminated immediately after starting; check output with
> "diag"
> >
> > worker-1-1 terminated immediately after starting; check output with
> "diag"
> >
> > worker-1-3 terminated immediately after starting; check output with
> "diag"
> >
> > worker-1-2 terminated immediately after starting; check output with
> "diag"
> >
> >
> > running 'broctl diag' gives me this
> >
> >       fatal error: problem with interface eno33557248 (pcap_error: BPF
> > program is not valid)
> >
> >
> >
> > pf_ring is loading properly as far as I can tell. My node.cfg is below:
> >
> >
> > [logger]
> >
> > type=logger
> >
> > host=localhost
> >
> >
> > [manager]
> >
> > type=manager
> >
> > host=localhost
> >
> >
> > [proxy-1]
> >
> > type=proxy
> >
> > host=localhost
> >
> >
> > [worker-1]
> >
> > type=worker
> >
> > host=localhost
> >
> > interface=eno33557248
> >
> > lb_method=pf_ring
> >
> > lb_procs=5
> >
> > pin_cpus=2,3,4,5,6
> >
> >
> > Any ideas on what causes this? Should I just roll back to my last config
> > that worked, or did I miss a change in bro 2.5 config?
> >
> >
> > Drake
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161014/6aa4da14/attachment.html 


More information about the Bro mailing list