[Bro] Bro performance issues
seth at icir.org
Sun Oct 30 21:27:21 PDT 2011
On Oct 30, 2011, at 5:46 AM, Tomer Teller wrote:
> event new_packet (c: connection,p: pkt_hdr)
> Nothing helps, Bro does not see all the packets.
> Any ideas what is the problem?
If I remember correctly, the new_packet event is only fired for IPv4 packets. Internally it can't deal with IPv6 packets but it also doesn't work with non-IP packets. Do the numbers you're getting match the number of IPv4 packets in your traffic trace file?
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro