[Bro] Bro 2.0 packets dropped
Martin Holste
mcholste at gmail.com
Fri Feb 10 13:42:43 PST 2012
What do you see in /proc/net/pf_ring/ ? If you cat a file matching
the PID of one of the Bro processes, it should say what the cluster_id
is. If they are all 21, then it is working.
On Fri, Feb 10, 2012 at 9:46 AM, Machiel van Veen <mvv at sentia.nl> wrote:
> On Friday 10 February 2012 16:26:48 Seth Hall wrote:
>> It looks like you are missing the setting that turns on the pf_ring
>> clustering support. If you built against the pf_ring libpcap wrapper it
>> should have been put in there automatically (unless you installed over top
>> of a previous installation?).
>>
>> Add this to your broctl.cfg and do "check", "install", "restart" in broctl.
>> PFRingClusterId = 21
>>
>> .Seth
>
> I've added the option, there is no difference. I did notice in the debug logs
> before that this option has been set by default. At startup i see the
> following for all workers, proxy and manager:
>
> "PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1 PCAP_PF_RING_CLUSTER_ID=21"
>
> The bro binary does seem to use the correct lib:
>
> $ ldd /opt/bro/bin/bro | grep pcap
> libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fae5cad2000)
>
> I'll go ahead and do this again on monday, perhaps I did make a mistake during
> the build process.
>
> Thanks, Machiel.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list