Re: [Bro] My last issue I hope
by Richards, James L - DOA
I may have something here... in perusing the logs on a node in /usr/local/bro/logs, I am seeing...
/usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
When I do an ldconfig -v on the same node, I get
libpfring.so -> libpfring.so
libpcap.so.1 -> libpcap.so.1.1.1
So bro is looking for libpcap.so.0.8 which is not present, correct?
Office of Security
Wisconsin Department of Administration
From: Tritium Cat [mailto:firstname.lastname@example.org]
Sent: Thursday, June 20, 2013 2:28 PM
To: Richards, James L - DOA
Subject: Re: [Bro] My last issue I hope
On Thu, Jun 20, 2013 at 8:31 AM, Richards, James L - DOA <James.Richards(a)wisconsin.gov<mailto:James.Richards@wisconsin.gov>> wrote:
It certainly appears to be working and up in promic mode...
eth4 Link encap:Ethernet HWaddr 00:1b:21:33:55:20
inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:330011101828 (330.0 GB) TX bytes:468 (468.0 B)
Thanks all, I will continue to dig...
You might have more than one version of libpcap on the system and when Bro was compiled it linked to the non-PF_RING version.
Try "ldd /path/to/bro" and check that the linked libpcap library is the pf_ring aware version. If that's your problem or you cannot easily tell then I think the easiest solution is to use your package manager to uninstall libpcap and use the version provided by the pf_ring package. You may need to recompile everything depending on how Bro discovered resources during the configure / make.
If Bro were using PF_RING correctly you should see a proc entry with the PID and interface for filename.
"cat /proc/net/pf_ring/33461-eth5.47" would show you the PF_RING stats for that particular worker.
You could also install the pf_ring library and libpcap version to a non-standard directory so the distinction is clear(er) but this requires a bunch of additional stuff.