[Bro] Problem: Bro listening on two ethernet interfaces

Christoph Göldi goeldich at ee.ethz.ch
Tue May 10 08:06:39 PDT 2005


hi vern

thanks for your statement.

>> i looked at the c-code. i runned it on different machines and
>> on various interfaces. bro still drops most of the packets
>> when i force it to listen on two interfaces.
>> 
>> is it a libpcap problem?
>> a bro problem?
>> a linux problem?
> 
> I believe it's a Linux problem.  We do this under FreeBSD in two different
> ways, either merging the interfaces in the kernel into one logical
> interface (via a custom patch), or at user level.  While the in-kernel
> version performs better, the user-level one isn't a disaster like you
> describe.

i also thought about bonding the interfaces and maybe it won't be a problem.
but we plan to introduce Luca Deri's PF_RING kernel patch in the future and
then interface bonding won't be possible any more.

> I also recall hearing others mention that multiple interfaces under Linux
> do not work well in general.  I don't use Linux, though, so can't comment
> more directly.

do you know other linux software which allows to listen on two interfaces?
so that i can use it for testing?
tcpdump only allows to listen on one interface or on all (any).

thanx
christoph



More information about the Bro mailing list