[Bro] How to use PF_RING multi?

Seth Hall seth at icir.org
Thu Nov 13 12:17:28 PST 2014

> On Nov 13, 2014, at 1:05 PM, Thomas, Eric D <edthoma at sandia.gov> wrote:
> What is the configuration needed to run bro with PF_RING using its link aggregation (multi) capability? This below (a snippet of node.cfg) doesn't do it:

I'm afraid we don't have a terribly elegant method to do that with PF_Ring right now.  You could use their ZC module and do the load balancing in userspace with their zbalance_ipc tool (or whatever it's called).  I think that can merge traffic and distribute it out and we support sniffing from ZC load balanced interfaces.

This is yet another area where our upcoming packet-bricks tool will make life easier.  I just wish it was ready for people to generally use. :/


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list