[Bro] broctl startup error

Azoff, Justin S jazoff at illinois.edu
Thu Aug 31 06:22:12 PDT 2017

On Aug 31, 2017, at 8:58 AM, Allen, Brian <brianallen at wustl.edu> wrote:
> That helped!  In broctl.cfg I had to fix this line.  The single quotes were missing.  
> BroArgs = -f '(net or net’
> But now when I start up the cluster (and it does start up which is good) the workers are all running at 100% which is not normal on these boxes.  Should be around 50%  That seems like pf_ring is not running, but I keep checking and pf_ring is installed and loaded.  
> Hyperthreading is still disabled.  That didn’t change after the upgrade. 
> What could have changed after the upgrade to cause the cpus to run at 100%?  I still think there is something wrong with pf_ring, but I’m not seeing it.  I just built another BRO cluster for our research network on ubuntu 14.04 servers and got pf_ring and bro running there no problem.  
> Thanks for your help,
> -Brian

Yes.. it's likely that bro is not using pf_ring properly.

What does this output?

    broctl exec "ldd `which bro`|grep pcap"

You should see lines like

    libpcap.so.1 => /opt/pfring/lib/libpcap.so.1

and not the normal libpcap in /usr/lib

If you look at your conn.log you also may see the same exact connection logged once for each worker that you are running.

- Justin Azoff

More information about the Bro mailing list