[Bro] Duplicate log entries for events
Brendan Dalpe
brendan-dalpe at utulsa.edu
Mon Oct 14 06:08:45 PDT 2013
Seth and Alex,
I was able to resolve the issue by installing the Linux headers for the
version of the kernel we are running and then recompiling the pf_ring
module. We had updated the box, but it appears that the kernel module
didn't compile correctly.
Thanks,
Brendan
On Wed, Oct 9, 2013 at 2:50 PM, Alex Waher <alexwis at gmail.com> wrote:
> Make sure `lsmod` shows that the pf_ring module is loaded. If its not
> loaded, `modprobe pf_ring`
> Or verify the eth0 interface is running with pf_ring by checking
> /proc/net/pf_ring/dev/eth0/info
>
>
> On Wed, Oct 9, 2013 at 9:35 AM, Seth Hall <seth at icir.org> wrote:
>
>>
>> On Oct 8, 2013, at 5:16 PM, Brendan Dalpe <brendan-dalpe at utulsa.edu>
>> wrote:
>>
>> > [bro-eth0]
>> > type=worker
>> > host=10.1.26.22
>> > interface=eth0
>> > lb_method=pf_ring
>> > lb_procs=4
>> >
>> >
>> > Any thoughts?
>>
>> It sounds like something isn't installed correctly. Did you successfully
>> build Bro against the pf_ring libpcap wrapper? Your traffic isn't load
>> balancing and each worker is getting the full stream.
>>
>> Maybe you could show us your configure command? You can see exactly what
>> you did if you go to your source and look at build/config.status
>>
>> .Seth
>>
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
--
Brendan Dalpe
brendan-dalpe at utulsa.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131014/af7c2670/attachment.html
More information about the Bro
mailing list