it absolutely refuses to honor this in config. No matter what I do, sh configure forces the use of clang/clang++, which does not support 4.8 on centos6. I specifically have gcc/g++ 4.8.2 installed in the devtoolset slc environment.
I do not understand why sh configure is not honoring these explicit environment variables pointing to a proper g++ binary.
Checking the …/doc/configuration/index.rst, this indicates that
–with-pcap=/opt/pfring
however, this makes no change in it building. Moreover, in …/build/instal_manifest.txt, I see broctl/plugins/lb_pfring.py, but no other sign of pfring. ldd bro shows no pfring entry either. Why did bro not build with pfring? Thanks!
Ok,. so I got this to compile, but it is non-trivial.
how did you get it to run in the end? I saw your last email with the
export of CC/CXX not working (which is a bit odd, as far as I remember
that worked fine for me in the past).
There is no longer a --with-pfring=X option in 25 configure script. See:
I actually don't think that we ever had that version (at least I do not
remember it being in the last view versions). https://www.bro.org/documentation/load-balancing.html gives a bit of
information on how to use Bro with the pfring libpcap. The pf_ring plugin
is different, and directly uses pfring without going throug libpcap. I
never used this one myself, however checking the code it seems to look
through the standard include path locations for pfring. If pfring is
installed in a different place, you can probably enable Bro to find it by
exporting CFLAGS/CXXFLAGS/LDFLAGS to point to that directory.
however, this makes no change in it building. Moreover, in
../build/instal_manifest.txt, I see broctl/plugins/lb_pfring.py, but no
other sign of pfring. ldd bro shows no pfring entry either. Why did bro not
build with pfring? Thanks!
It might have built against the wrong version of libpcap. The chosen pcap
library is displayed during configure output in a line like:
That's not the pf_ring plugin, it's the built-insupport for pf_ring by using the libpcap wrapper. As the load-balancing documentation shows, you simply need to see if bro is linked against pf_ring:
How do I build the plugin then? The plugin is more useful, as whenever we upgrade pf_ring, we can just rebuild the plugin and not all of bro. We upgrade pf_ring on a regular basis…
The plugin is not being built automatically. By default, Bro uses libpcap (in this case, it is building against the pfring libpcap, so you are already using libpcap). The plugin uses poring directly without going through libpcap. You have to build it manually by going to aux/plugins/libpcap after building bro, calling ./configure there (which should pick up libpcap), and then doing make/make install.
