[Bro] My last issue I hope

Richards, James L - DOA James.Richards at wisconsin.gov
Fri Jun 21 08:48:33 PDT 2013 

I may have something here...  in perusing the logs on a node in /usr/local/bro/logs, I am seeing...

/usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory

When I do an ldconfig -v on the same node, I get

/usr/local/pfring/lib:
        libpfring.so -> libpfring.so
        libpcap.so.1 -> libpcap.so.1.1.1

So bro is looking for libpcap.so.0.8 which is not present, correct?

James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880

From: Tritium Cat [mailto:tritium.cat at gmail.com]
Sent: Thursday, June 20, 2013 2:28 PM
To: Richards, James L - DOA
Subject: Re: [Bro] My last issue I hope

On Thu, Jun 20, 2013 at 8:31 AM, Richards, James L - DOA <James.Richards at wisconsin.gov<mailto:James.Richards at wisconsin.gov>> wrote:
It certainly appears to be working and up in promic mode...

eth4      Link encap:Ethernet  HWaddr 00:1b:21:33:55:20
          inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:330011101828 (330.0 GB)  TX bytes:468 (468.0 B)

Thanks all, I will continue to dig...


You might have more than one version of libpcap on the system and when Bro was compiled it linked to the non-PF_RING version.

Try "ldd /path/to/bro" and check that the linked libpcap library is the pf_ring aware version.  If that's your problem or you cannot easily tell then I think the easiest solution is to use your package manager to uninstall libpcap and use the version provided by the pf_ring package.  You may need to recompile everything depending on how Bro discovered resources during the configure / make.

If Bro were using PF_RING correctly you should see a proc entry with the PID and interface for filename.

Example:

"cat /proc/net/pf_ring/33461-eth5.47" would show you the PF_RING stats for that particular worker.


You could also install the pf_ring library and libpcap version to a non-standard directory so the distinction is clear(er) but this requires a bunch of additional stuff.


--tc




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130621/933cdc06/attachment.html

More information about the Bro mailing list