[Bro] Bro performance issues

Tomer Teller djteller at gmail.com
Mon Oct 31 10:08:50 PDT 2011


Do you mean PF_RING with front-end solution such as click router? 
Is it possible to run everything on a single machine? 

On Oct 31, 2011, at 18:49, Martin Holste <mcholste at gmail.com> wrote:

> Is there a reason you can't use PF_RING for this?  It sure makes
> things easier like this easier.
> 
> On Mon, Oct 31, 2011 at 11:39 AM, Tomer Teller <djteller at gmail.com> wrote:
>> event bro_init()
>>        {
>>        if ( peer_description == "worker-1" )
>>                restrict_filters += table(["capture even src/dest pairs
>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 0");
>>        if ( peer_description == "worker-2" )
>>                restrict_filters += table(["capture even src/dest pairs
>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 1");
>>        }
>> Is causing the following error:
>> line 58 (restrict_filters += table(capture even src/dest pairs only =
>> (ip[12:4] + ip[16:4]) & 1 == 0)): error, requires two arithmetic or two
>> string operands
>> 
>> 
>> 
>> On Mon, Oct 31, 2011 at 4:35 PM, Seth Hall <seth at icir.org> wrote:
>>> 
>>> On Oct 31, 2011, at 10:15 AM, Tomer Teller wrote:
>>> 
>>>> However, I can't surround it with an if statement so I cannot check
>>>> peer_description.
>>>> 
>>>> Any suggestions?
>>> 
>>> Sorry about that...
>>> 
>>> event bro_init()
>>>        {
>>>        if ( peer_description == "worker-1" )
>>>                restrict_filters += table(["capture even src/dest pairs
>>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 0");
>>>        if ( peer_description == "worker-2" )
>>>                restrict_filters += table(["capture even src/dest pairs
>>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 1");
>>>        }
>>> 
>>>  .Seth
>>> 
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro-ids.org/
>>> 
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 



More information about the Bro mailing list