I’ve set up a Bro 2.1 instance with a network tap, but keep getting notice log entries of “PacketFilter::Dropped_Packets”. I’m assuming this is because Bro is single threaded and it needs more workers to keep up with the traffic, so I’m trying to implement pf_ring to distribute the traffic across multiple workers. I’ve installed the pf_ring RPM package from ntop (http://www.nmon.net/packages/rpm/x86_64/PF_RING/) and that gets the kernel module loaded but seems to be lacking something still - probably linking libpcap to pf_ring? That’s what I’m not sure about. After installing pf_ring from the RPM package and configuring Bro for multiple workers it starts up ok but is still dropping packets (all of the workers, per the notice log) and pf_ring doesn’t appear to be used:

cat /proc/net/pf_ring/info

PF_RING Version : 5.6.2 ($Revision: 6910$)
Total rings : 0

Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

Has anyone had any success with clustered Bro with pf_ring on RHEL/CENTOS, and did you have to compile it from source and re-compile libpcap? I’d prefer to stick with the RPM packages since it tends to make updating less problematic. I installed Bro 2.1 as an RPM package as well.

Thanks,
Matt