[Bro] broctl startup error
Azoff, Justin S
jazoff at illinois.edu
Thu Aug 31 06:22:12 PDT 2017
On Aug 31, 2017, at 8:58 AM, Allen, Brian <brianallen at wustl.edu> wrote:
> That helped! In broctl.cfg I had to fix this line. The single quotes were missing.
> BroArgs = -f '(net 220.127.116.11/16 or net 18.104.22.168/19)’
> But now when I start up the cluster (and it does start up which is good) the workers are all running at 100% which is not normal on these boxes. Should be around 50% That seems like pf_ring is not running, but I keep checking and pf_ring is installed and loaded.
> Hyperthreading is still disabled. That didn’t change after the upgrade.
> What could have changed after the upgrade to cause the cpus to run at 100%? I still think there is something wrong with pf_ring, but I’m not seeing it. I just built another BRO cluster for our research network on ubuntu 14.04 servers and got pf_ring and bro running there no problem.
> Thanks for your help,
Yes.. it's likely that bro is not using pf_ring properly.
What does this output?
broctl exec "ldd `which bro`|grep pcap"
You should see lines like
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1
and not the normal libpcap in /usr/lib
If you look at your conn.log you also may see the same exact connection logged once for each worker that you are running.
- Justin Azoff
More information about the Bro