Broctl segmentation fault


After any build of Bro with Broctl 1.7, I’m experiencing the below error when broctl/scripts/check-config is run…

/opt/bro/share/broctl/scripts/check-config: line 50: 4463 Segmentation fault “${bro}” $check_option “$@”

Anyone encountered this before? Cannot bypass doing broctl check – broctl start results in failed/crashed processes.

This is on RHEL7.5, after building Bro-2.5.5 (I’ve tried other minor versions since 2.5 – same issue).

Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 works fine.

Any help would be greatly appreciated.


Sean Hutchison

check runs bro with the current configuration to see if it can start, so that's bro segfaulting there.. that's why start also fails..

What do you get if you try each of the following?

    bro -v
    bro -NN # just see if this runs or crashes
    bro -b -i lo
    bro -i lo
    bro -i lo local

You can hit control-c if any of those start successfully to get your prompt back.

I'm not aware of any issues like this, so it could be something with your configuration.

Do you have a customized local.bro at all?
Are you building bro against a particular libpcap or malloc implementation?
What does ldd /opt/bro/bin/bro output?

# bro -v
bro version 2.5.5

# bro -NN
Segmentation fault

# bro -b -i lo
listening on lo

^C1538653437.070325 received termination signal
1538653437.070325 208 packets received on interface lo, 0 dropped

# bro -i lo
Segmentation fault

# bro -i lo local
Segmentation fault

# ldd /opt/bro/bin/bro => (0x00007fff99dfd000) => /lib64/ (0x00007f148eec1000) => /lib64/ (0x00007f148ec50000) => /lib64/ (0x00007f148e7ef000) => /lib64/ (0x00007f148e5d6000) => /lib64/ (0x00007f148e3c0000) => /lib64/ (0x00007f148e190000) => /lib64/ (0x00007f148dd9b000) => /lib64/ (0x00007f148db7f000) => /lib64/ (0x00007f148d97b000) => /lib64/ (0x00007f148d674000) => /lib64/ (0x00007f148d372000) => /lib64/ (0x00007f148d15c000) => /lib64/ (0x00007f148cd8f000) => /lib64/ (0x00007f148cb42000) => /lib64/ (0x00007f148c85a000) => /lib64/ (0x00007f148c656000) => /lib64/ (0x00007f148c423000)
        /lib64/ (0x00007f148f102000) => /lib64/ (0x00007f148c215000) => /lib64/ (0x00007f148c011000) => /lib64/ (0x00007f148bdea000) => /lib64/ (0x00007f148bb88000)

No custom scripts being loaded via local.bro
Nothing in particular - did yum install/update of RedHat-based dependencies according to
Although I did build it against pfring first, using yum package from ntop repo - same issue, have since removed that and did regular build

Only configure switch was --prefix.



Is there a change that you have binary plugins installed (netmap plugin, a few bro-pkg ones)?

They can cause crashes exactly like this. This behavior is fixed with Bro 2.6 (it will output an error message instead).

If that is the case - either recompiling or removing the binary plugins will fix this.


Yes, and I just removed the Bro Kafka plugin and no more error!

Thank you so much.


If you don’t mind, can you share the steps you took to build and install the plug-in? What version?


Ya, first install librdkafka (there’s probably a newer version – make sure it supports your Kafka broker version) …

curl --silent -L -k | tar xz

cd librdkafka-0.9.5



make install

Then get bro-plugins repo and build kafka plugin against version of Bro you’re using by pointing it to where you extracted bro source…

git clone

cd bro-plugins/kafka/

./configure --bro-dist=/path/to/bro-2.#.#

make && make install

Confirm with…

bro -N Bro::Kafka

See for example configurations.



Sounds like you are looking at a very old version of the plugin, since bro/bro-plugins has been completely deprecated at this point. Can you use bro-pkg to install apache/metron-bro-plugin-kafka? It should be a bit more robust and up to date. Let me know if you have any issues when taking this approach.


Well, we don’t really have a need to use the bro kafka plugin currently – it was just for a bit of testing previously – but I can use bro-pkg in the future or for other plugins/scripts.



Gotcha, yeah please do as that is the most updated code and includes some baseline btests (with more coming in the near future). Feel free to reach out to me via the list if you have any questions/concerns/issues on it - thanks!