Bro: effect of filter on speed/drops

Ashley Thomas athomas at unity.ncsu.edu
Mon Apr 9 13:36:29 PDT 2001


Hi,

We run bro by specifying a filter like:
1. -f "tcp" or 
2. -f "tcp or udp"

Will one of these rules theoretically drop fewer packets than the other
on heavy load ? Also will one execute faster than the other ?

Put in another way if i specify -f "tcp", then libpcap filters only tcp
filters from the lower layer, and if change the filter by specifying -f
"tcp or udp" then libpcap filters both tcp and udp from the lower layer.
Would this change slow down Bro a bit ?

If libpcap is losing packets due to the enormous traffic in a network,
can it be avoided by making the filter more specific ?

thanks
Ashley



More information about the Bro mailing list