[Bro] Update on using PF_RING/TNAPI with Bro

Justin Azoff JAzoff at uamail.albany.edu
Wed Dec 15 14:00:17 PST 2010

On Wed, Dec 15, 2010 at 04:41:36PM -0500, Sunjeet Singh wrote:
> 3. PF_RING provides a user API which can be used by user-applications
> like Bro to directly read from the multiple RX_Queues of a network
> interface by using notation like eth0 at 1, eth0 at 2, etc. for RX_Queues 1
> and 2 belonging to interface eth0.


> But using PF_RING with the existing Bro leads to a performance
> degradation of Bro because Bro runs on one user-thread, and when all
> these packets reach user-space on different user-threads, they need to
> be processed by the core that is running Bro.

Why are you only running one bro process?  You can setup a single node
bro cluster and run multiple bro processes, each listening on one of
eth0 at 1, eth0 at 2..

-- Justin Azoff
-- Network Security & Performance Analyst

More information about the Bro mailing list