[Bro] Bro performance issues

Martin Holste mcholste at gmail.com
Mon Oct 31 09:49:50 PDT 2011


Is there a reason you can't use PF_RING for this?  It sure makes
things easier like this easier.

On Mon, Oct 31, 2011 at 11:39 AM, Tomer Teller <djteller at gmail.com> wrote:
> event bro_init()
>        {
>        if ( peer_description == "worker-1" )
>                restrict_filters += table(["capture even src/dest pairs
> only"] = "(ip[12:4] + ip[16:4]) & 1 == 0");
>        if ( peer_description == "worker-2" )
>                restrict_filters += table(["capture even src/dest pairs
> only"] = "(ip[12:4] + ip[16:4]) & 1 == 1");
>        }
> Is causing the following error:
> line 58 (restrict_filters += table(capture even src/dest pairs only =
> (ip[12:4] + ip[16:4]) & 1 == 0)): error, requires two arithmetic or two
> string operands
>
>
>
> On Mon, Oct 31, 2011 at 4:35 PM, Seth Hall <seth at icir.org> wrote:
>>
>> On Oct 31, 2011, at 10:15 AM, Tomer Teller wrote:
>>
>> > However, I can't surround it with an if statement so I cannot check
>> > peer_description.
>> >
>> > Any suggestions?
>>
>> Sorry about that...
>>
>> event bro_init()
>>        {
>>        if ( peer_description == "worker-1" )
>>                restrict_filters += table(["capture even src/dest pairs
>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 0");
>>        if ( peer_description == "worker-2" )
>>                restrict_filters += table(["capture even src/dest pairs
>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 1");
>>        }
>>
>>  .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>




More information about the Bro mailing list