Pcap Buffer = 0

I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
traffic. I know I'm missing something (config setting, etc) but am
unsure what it is. I consulted teh Google but didn't have much luck.
Could someone provide some insight/advice? Thanks!

-Chuck

Here are the particulars:

Possible symptom is that the pcap buffer = 0 (e.g. in
/raid/bro/spool/rigel-igb0/stderr.log).
Bro-IDS v1.5.3
FreeBSD v8.2-RELEASE
in /etc/rc.conf:
ifconfig_igb0="mtu 9000 promisc -arp up"
ifconfig_igb1="mtu 9000 promisc -arp up"
ifconfig_igb2="mtu 9000 promisc -arp up"
ifconfig_igb3="mtu 9000 promisc -arp up"
ifconfig_igb4="mtu 9000 promisc -arp up"
ifconfig_igb5="mtu 9000 promisc -arp up"

in /etc/sysctl.conf:
## Increase packet capture buffer sizes
net.bpf.maxbufsize=10485760
net.bpf.bufsize=10485760
## Increase socket buffer limits
kern.ipc.maxsockbuf=4194304

in /boot/loader.conf:
kern.ipc.nmbclusters="131072"
kern.ipc.nmbjumbo9="65536"

Output of `broctl config`:
[BroControl] > config
analysis-dns = 0
analysiscfg = /raid/bro/etc/analysis.dat
auxpostprocessors =
auxscriptsmanager =
auxscriptsstandalone =
auxscriptsworker =
bindir = /raid/bro/bin
bro = /raid/bro/bin/bro
broargs =
brobase = /raid/bro
broversion = 1.5.3
capstats = /raid/bro/bin/capstats
cfgdir = /raid/bro/etc
cflowaddr =
cflowpassword =
cflowuser =
cron = 0
cron-enabled = 1
croncmd =
cronenabled = 1
custominstallbin =
debug = 1
debuglog = /raid/bro/spool/debug.log
defsitepolicypath = /raid/bro/share/bro/site
devmode = 0
distdir = /root/WORKING/bro-1.5.3
havebroccoli =
havenfs = 0
helperdir = /raid/bro/share/broctl/scripts/helpers
home = /root
libdir = /raid/bro/lib
libdirinternal = /raid/bro/lib/broctl
localnetscfg = /raid/bro/etc/networks.cfg
lockfile = /raid/bro/spool/lock
logdir = /raid/bro/logs
logexpireinterval = 30
mailalarmprefix = ALERT:
mailalarms = 1
mailalarmsto = root@localhost
mailfrom = Big Brother <bro@rigel.nwsc.ucar.edu>
mailreplyto =
mailsubjectprefix = [Bro]
mailto = root@localhost
makearchivename = /raid/bro/share/broctl/scripts/make-archive-name
memlimit = unlimited
mindiskspace = 5
nodecfg = /raid/bro/etc/node.cfg
os = freebsd
policydir = /raid/bro/share/bro
policydirbroctl = /raid/bro/share/bro/broctl
policydirsiteinstall = /raid/bro/share/bro/.site
policydirsiteinstallauto = /raid/bro/share/bro/.site/auto
postprocdir = /raid/bro/share/broctl/scripts/postprocessors
prefixes = local
rigel-crashed = 0
rigel-igb0-crashed = 0
rigel-igb0-pid = 2543
rigel-igb0-port = 47762
rigel-igb1-crashed = 0
rigel-igb1-pid = 2544
rigel-igb1-port = 47763
rigel-igb2-crashed = 0
rigel-igb2-pid = 2545
rigel-igb2-port = 47764
rigel-igb3-crashed = 0
rigel-igb3-pid = 2542
rigel-igb3-port = 47765
rigel-igb4-crashed = 0
rigel-igb4-pid = 2541
rigel-igb4-port = 47766
rigel-igb5-crashed = 0
rigel-igb5-pid = 2546
rigel-igb5-port = 47767
rigel-p1-crashed = 0
rigel-p1-pid = 2426
rigel-p1-port = 47761
rigel-pid = 1967
rigel-port = 47760
savetraces = 0
scripts-manager = cluster-manager
scripts-proxy = cluster-proxy
scripts-standalone = standalone
scripts-worker = cluster-worker
scriptsdir = /raid/bro/share/broctl/scripts
sendmail = 1
sigint = 0
sitepolicymanager = local-manager
sitepolicypath = /raid/bro/share/bro/site
sitepolicystandalone = local.bro
sitepolicyworker = local-worker
spooldir = /raid/bro/spool
standalone = 0
statefile = /raid/bro/spool/broctl.dat
staticdir = /raid/bro/share/broctl
statsdir = /raid/bro/logs/stats
statslog = /raid/bro/spool/stats.log
templatedir = /raid/bro/share/broctl/templates
time = /usr/bin/time
timefmt = %d %b %H:%M:%S
timemachinehost =
timemachineport = 47757/tcp
tmpdir = /raid/bro/spool/tmp
tmpexecdir = /raid/bro/spool/tmp
tracesummary = /raid/bro/bin/trace-summary
version = 0.3

Does broctl capstats show your interfaces receiving packets?

Output:

[rigel /raid/bro/bin]# ./broctl capstats

Interface kpps mbps (10s average)

Hi Chuck,

Just a thought: Is the traffic that you're (not) capturing vlan tagged?

tcpdump with the '-e' argument and no filter will tell you for sure.

If so, you need to load the vlan policy, otherwise libpcap will apply the
filter rules to the wrong frame offsets.