[Bro] Triplicate Entries in CONN Log

Philip Romero promero at cenic.org
Wed Jan 3 12:49:31 PST 2018

Seth and Justin,

It looks to be working now. The latest change that was made was dropping
the pfring version from 7.0.0 to 6.6.0. That in combination with using
the "pfringclusterid = 11" setting in the broctl.cfg got it working
correctly. We're no longer seeing any multiple entries for the same

Thanks for all the help.


On 1/3/18 11:57 AM, Seth Hall wrote:
> On 3 Jan 2018, at 12:39, Philip Romero wrote:
>> Thanks for the troubleshooting code. It looks like only one interface is
>> getting the traffic, but all 4 cores assigned are processing the same
>> traffic individually. I'm still working with my Systems team on the
>> suggestion from Justin.  
> Could you try removing all of the worker configs from node.cfg except
> for worker-4?  I'm curious if there is something we did that is
> causing trouble for PF_Ring if multiple interfaces are being sniffed
> like that.
>   .Seth
> -- 
> Seth Hall * Corelight, Inc * www.corelight.com

Philip Romero, CISSP, CISA
Sr. Information Security Analyst
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

More information about the Bro mailing list