I’ve followed the steps to get Bro to use pf_ring and it even shows that it’s using the pf_ring/lib, but as soon as I install from my manager it reverts back to libpcap. Any ideas?
It sounds like you are building and installing bro on the worker nodes a well as on the manager nodes. You only need to install bro on the manager node. broctl copies the bro installation to each worker node for you.
The process for using pf_ring on a bro cluster would be:
1) install pf_ring kernel module and libraries on each worker
2) install pf_ring libraries on the manager - You can install the kernel modules if you wanted to, but nothing will use them.
3) install bro on the manager
If you are missing the pf_ring libraries on the manager that will cause the manager binary to not be linked against pf_ring.
It sounds like you are building and installing bro on the worker nodes a well as on the manager nodes. You only need to install bro on the manager node. broctl copies the bro installation to each worker node for you.
…
3) install bro on the managerIf you are missing the pf_ring libraries on the manager that will cause the manager binary to not be linked against pf_ring.
Making sure I follow you: And hence the binary distributed to the workers by the manager will not pick up those libraries, even though they do exist on the worker?