[Bro] Throughput Problems
vern at icir.org
Tue Mar 11 20:01:48 PDT 2008
> I am running using Suse on PowerPC. I am also using specialty hardware from
> I do not belive it is an issue with BPF.
Well, it's very likely *some* issue with packet capture, since I believe
the difference between your policy-scripts-that-work and scripts-that-don't
is that the latter capture full-sized packets and the former basically don't.
Try this. Run with the set of scripts that work plus print-filter.bro to
see what filter is being used. Then run with the scripts that don't work
plus print-filter and get that filter. See then how tcpdump fares using
each filter (along with -s 0 to capture full-sized packets).
If that doesn't shed light, then what are the dominant types of appications
in your traffic, and how do you fare using Bro setups that don't capture them?
We routinely run on traffic with 100+ Mbps traffic (18K pps), predominantly
SSH and HTTP, without significant problems with drops.
More information about the Bro