[Bro] Bro performance issues
seth at icir.org
Mon Oct 31 10:33:03 PDT 2011
On Oct 31, 2011, at 1:08 PM, Tomer Teller wrote:
> Do you mean PF_RING with front-end solution such as click router?
> Is it possible to run everything on a single machine?
Martin is referring to clustering in PF_RING. It will split your traffic into bidirectional flows within your kernel and it easy to configure with Bro 2.0-beta (I wouldn't try it with 1.5, it would be a bit of a mess). If you're running with broctl it will mostly just work with PF_RING out of the box including clustering, you just need to make sure you're building against the correct libpcap using PF_RING's libpcap wrapper and then all of your workers you configure in broctl's node.cfg file should sniff the same interface.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro