Hi, we’re doing a job that collecting traffic by using Bro and PF_RING
Could you provide a bit more detail about your setup? Are the workers all running on a single server, or are they distributed across multiple servers?
What I’m trying to determine is at what point the duplication is happening.
Yes, I will do that.
From of one of Justin’s posts a while back (as I have struggled with this numerous times) - this may or may not be the issue, but putting it out there if it is as it has the same symptoms.
[root@bro-dev ~]# broctl config | grep pfring
pfringclusterid = 21
pfringclustertype = 4-tuple
ringfirstappinstance = 0
if you have pfringclusterid set to 0, that’s the problem that was just fixed. You can easily workaround that by adding
PFRINGClusterID = 21
to your /usr/local/bro/etc/broctl.cfg
Mark
thanks a lot, Mark!
it’s solved by adding “PFRINGClusterID = 21” in the cfg file.
it works well!
2018년 4월 28일 토요일, Mark Buchanan<mabuchan@gmail.com>님이 작성한 메시지:
You should also probably configure a logger process in node.cfg to run on on the same box as your manager and proxy.
-Drew