[Bro] pf_ring vrs PF_RING::$iface
philosnef at gmail.com
Mon Dec 5 05:33:25 PST 2016
So, having built bro with the pf_ring plugin and pf_ring (libpcap pfring),
I have found that the plugin does not seem to be working as expected.
When I run
I get much better performace and less "weird" stuff like rapidly growing
conn and weird logs.
When I use
lb_method-=(pf_ring or custom, doesnt matter which I choose)
my conn logs go crazy. Additionally, some logs which normally grow at 1 to
2 meg a second grow at 1/10th of that. Is there something undocumented
about the native pf_ring plugin that I am unaware of which would lead to
this behavioral discrepency? Is this also rooted in RHEL7 kernel land
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro