Strange question

Vern Paxson vern at
Sun Feb 22 08:31:00 PST 2004

> My strange question is,
> why if (I killed bro) and start tcpdump v381 (or 372 or snort or prelude)
> I read on interrupt fxp1 case : ~4200 interrupt
> this is not good because 4200 * 8 = 33.6Mbits

You shouldn't gauge it by number of interrupts since it's possible due
to processor load that in some cases you get mulitple packets per interface
and in others you don't.  You could instead look at the statistics reported
by libpcap (though these can be untrustworthy) or record the traffic
using -w and then count just how many packets were captured.


More information about the Bro mailing list