[Bro] A few questions

Justin Azoff JAzoff at uamail.albany.edu
Tue Feb 2 13:05:27 PST 2010

On Tue, Feb 02, 2010 at 03:40:28PM -0500, Powell, Scott wrote:
> Robin et al,
> OK, a little more info. It appears that the analyzers that are killing the
> CPU are the HTTP ones. I do not won't to disable these because they log very
> useful information. However, I cannot seem to keep up on one core. I either
> need a way to process the analysis on multiple cores or I need a frontend to
> distribute the load to multiple nodes. I do not have a hardware frontend
> solution so I would be interested in software solutions such as click. I saw
> it mentioned on the Wiki and in Workshop slides but are there example configs
> somewhere?
> Thanks, Scott

Attached is a click config that splits up traffic into 3 queues.
I have it using pcap since I ignore a few hosts on campus that do a ton of bulk
traffic that is not intersting from within Bro.

Like I mentioned in my other reply, if you have a newer intel card you can do
this without click.  I run the usermode click and it uses about 60% of one
core(I have 8) to split up the traffic.  If it took any more I would just get
the better intel GigE card and do the traffic splitting in hardware.

-- Justin Azoff
-- Security & Network Performance Analyst
-------------- next part --------------
// From puppet - do not edit
tap0 :: KernelTap( -> Discard;
tap1 :: KernelTap( -> Discard;
tap2 :: KernelTap( -> Discard;

my_switch :: HashSwitch(26, 8);

FromDevice(sniff1, PROMISC true, CAPTURE PCAP, BPF_FILTER "not (host xxx.xxx.xxx.xxx)" ) -> my_switch;

my_switch[0] -> Queue -> tap0;
my_switch[1] -> Queue -> tap1;
my_switch[2] -> Queue -> tap2;

More information about the Bro mailing list