All,
This morning I updated bro and pfring on my dev sensor to their respective git master branches and started receiving this error when I try to start bro:

broctl start

starting logger …

starting manager …

starting proxy-1 …

starting worker-1-1 …

starting worker-1-2 …

starting worker-1-3 …

starting worker-1-4 …

starting worker-1-5 …

worker-1-5 terminated immediately after starting; check output with “diag”

worker-1-4 terminated immediately after starting; check output with “diag”

worker-1-1 terminated immediately after starting; check output with “diag”

worker-1-3 terminated immediately after starting; check output with “diag”

worker-1-2 terminated immediately after starting; check output with “diag”

running ‘broctl diag’ gives me this

fatal error: problem with interface eno33557248 (pcap_error: BPF program is not valid)

pf_ring is loading properly as far as I can tell. My node.cfg is below:

[logger]

type=logger

host=localhost

[manager]

type=manager

host=localhost

[proxy-1]

type=proxy

host=localhost

[worker-1]

type=worker

host=localhost

interface=eno33557248

lb_method=pf_ring

lb_procs=5

pin_cpus=2,3,4,5,6

Any ideas on what causes this? Should I just roll back to my last config that worked, or did I miss a change in bro 2.5 config?

Drake

Hello Drake,

I am not aware of any changes that we did that should cause this kind of
error, so I assume that the reason for this is not the updated pfring, and
not the updated Bro.

Could you check if this indeed does work with Bro 2.4.1 and the new
pfring, or if Bro 2.4.1 and the new pfring fails in the same way and
report back?

Thanks,
Johanna

Thanks Johanna, the issue seemed to be pf_ring, I rolled it back to 6.0.3 and it’s working fine now.