New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems running bro with suricata on pf_ring zbalance #217

radoslawc opened this Issue Nov 21, 2018 · 0 comments


None yet
2 participants
Copy link

radoslawc commented Nov 21, 2018


I'm having problems with bro and suricata on the same pf_ring's zbalance cluster.
Originally this was reported as suricata issue, but after some investigation turns out it's caused by bro. Here's the pf_ring developer's answer:

"I see that packet len in the PF_RING packet header is 102 (caplen and len), 
while the IPLEN computed from packet headers is 1420, this should definitely not happen, 
especially with ZC as there is no snaplen, it always captures full packets.

Since reporter is using zero-copy distribution (with zbalance_ipc), 
I would not exclude that some other application is corrupting the packet. 
I would ask the reporter to provide the zbalance_ipc configuration, 
and stop all other applications if any and try to reproduce the crash again."

Whole thread on suricata's redmine:

I've excluded other applications, this issue was only happening with bro and suricata running at the same time.

bro version 2.5.5 (and 2.5.4 had the same issue)
compilation flags:
./configure --prefix=%{_prefix} --binary-package --disable-broker
pf_ring connectivity via pf_ring plugin from aux/plugins/pf_ring
OS: Centos 1804
PF_RING 7.2.0





and so on for 20 workers in total

no external bro scripts

Issue happens rarely, 2 - 3 times a week or sometimes not for two weeks or so.

Any help how to tackle this issue is greatly appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment