[Bro] How to use PF_RING multi?
seth at icir.org
Thu Nov 13 12:17:28 PST 2014
> On Nov 13, 2014, at 1:05 PM, Thomas, Eric D <edthoma at sandia.gov> wrote:
> What is the configuration needed to run bro with PF_RING using its link aggregation (multi) capability? This below (a snippet of node.cfg) doesn't do it:
I'm afraid we don't have a terribly elegant method to do that with PF_Ring right now. You could use their ZC module and do the load balancing in userspace with their zbalance_ipc tool (or whatever it's called). I think that can merge traffic and distribute it out and we support sniffing from ZC load balanced interfaces.
This is yet another area where our upcoming packet-bricks tool will make life easier. I just wish it was ready for people to generally use. :/
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro