[Bro] pf_ring vrs PF_RING::$iface

erik clark philosnef at gmail.com
Mon Dec 5 05:33:25 PST 2016

So, having built bro with the pf_ring plugin and pf_ring (libpcap pfring),
I have found that the plugin does not seem to be working as expected.

When I run


I get much better performace and less "weird" stuff like rapidly growing
conn and weird logs.

When I use

lb_method-=(pf_ring or custom, doesnt matter which I choose)

my conn logs go crazy. Additionally, some logs which normally grow at 1 to
2 meg a second grow at 1/10th of that. Is there something undocumented
about the native pf_ring plugin that I am unaware of which would lead to
this behavioral discrepency? Is this also rooted in RHEL7 kernel land
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161205/37f476b8/attachment.html 

More information about the Bro mailing list