[Bro] Throughput Problems
joel.ebrahimi at gmail.com
Wed Mar 12 11:38:35 PDT 2008
Thanks for this info. I had not realized that brolite was applying a number
of filters. My main testing pcap was a large variety of services,protocols,
and sessions. My testing was semi-automated to check packets sent vs packets
bro received. The fillter scewed my results. I applied a redef to the packet
filter and I am now seeing excellent statistics on the intel machine.
I will use this information now to re-test on the Bivio platform.
On Tue, Mar 11, 2008 at 8:01 PM, Vern Paxson <vern at icir.org> wrote:
> > I am running using Suse on PowerPC. I am also using specialty hardware
> > Bivio.
> > I do not belive it is an issue with BPF.
> Well, it's very likely *some* issue with packet capture, since I believe
> the difference between your policy-scripts-that-work and
> is that the latter capture full-sized packets and the former basically
> Try this. Run with the set of scripts that work plus print-filter.bro to
> see what filter is being used. Then run with the scripts that don't work
> plus print-filter and get that filter. See then how tcpdump fares using
> each filter (along with -s 0 to capture full-sized packets).
> If that doesn't shed light, then what are the dominant types of
> in your traffic, and how do you fare using Bro setups that don't capture
> We routinely run on traffic with 100+ Mbps traffic (18K pps),
> SSH and HTTP, without significant problems with drops.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro