[Bro] A few questions

Powell, Scott powellsm at musc.edu
Wed Feb 3 11:22:34 PST 2010


Yes, I went with the click setup as provided by Justin and so far so good. I'm not dropping any packets yet.

Justin - thanks again for the config.


-----Original Message-----
From: Robin Sommer [mailto:robin at icir.org] 
Sent: Wednesday, February 03, 2010 12:03 PM
To: Powell, Scott
Cc: bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] A few questions

On Tue, Feb 02, 2010 at 13:53 -0500, Powell, Scott wrote:

> Given our current setup, how would I go about these BPF tricks to
> leverage multiple cores on a single machine?

The click setup already mentioned is probably the better solution,
but when using BPF, you would give each worker a different BPF
filter ignoring all but its slice of the traffic. One can express
the hash "(src+dst) mod n" in BPF (let me know if you want the exact


Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list