[Bro] af_packet/pf_ring equivalency
philosnef at gmail.com
Tue Nov 1 06:09:59 PDT 2016
Interestingly, bwm-ng does not give me traffic numbers for my sniff
interface.... I am trying to get ifpps, but I dont want to have to compile
it and would like to find a rhel6 package of it. Sadly, it isnt in EPEL's
netsniff-ng package group.
On Mon, Oct 31, 2016 at 7:21 PM, Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:
> ifpps for generic bandwidth and pps monitoring. Never, ever, use iptraf.
> ifpps has been written by the netsniff-ng author and it speaks for itself.
> bwm-ng seems to be good, haven't compared the accuracy and the perf data
> For monitoring drops
> ethtool -S <int> to detect drops in card's FIFO and sometimes, reasons for
> to detect drops at the softirq layer
> Bro's stats.log to detect drops at the af_packet layer
> Bro capture_loss to detect drops in all above + drops before packets reach
> your sensor.
> Monitoring drops is complex and there is no single metric that tells you
> all. Some of this is true for pfring as well, people just don't know. I've
> seen sensors with 2-3% drops (in Suricata) but 40% drops in FIFO and they
> were like "we're doing fine". Well, so here's a bad news... ;-)
> On Mon, Oct 31, 2016 at 5:38 PM, erik clark <philosnef at gmail.com> wrote:
>> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
>> since it is very reliable.
>> Does af_packet have an equivalent for this? I dont want to use broctl
>> capstats unless there is absolutely no other option.
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro