[Bro] af_packet/pf_ring equivalency

Drew Dixon dwdixon at umich.edu
Fri Nov 4 09:28:06 PDT 2016

The documentation for installing netsniff-ng is not great so I don't blame
you, however, it's not all that bad if you just run the one liner to
install all the dependancies for your respective distro and then
compile/build just ifpps using the following:

One-liner installation for *all* dependencies on Debian:

  $ sudo apt-get install ccache flex bison libnl-3-dev \
  libnl-genl-3-dev libnl-route-3-dev libgeoip-dev \
  libnetfilter-conntrack-dev libncurses5-dev liburcu-dev \
  libnacl-dev libpcap-dev zlib1g-dev libcli-dev libnet1-dev

One-liner installation for *all* dependencies on Fedora:

  $ sudo yum install ccache flex bison ccache libnl3-devel \
  GeoIP-devel libnetfilter_conntrack-devel ncurses-devel \
  userspace-rcu-devel nacl-devel libpcap-devel zlib-devel \
  libcli-devel libnet-devel

Compile/build options:

sudo make ifpps
sudo make ifpps_install

OR (I'd recommend this if you want more tools but the tunneling stuff, FYI
it also creates dependency issues [at least on Fedora based distros] so
exclude it using this)

sudo make allbutcurvetun
sudo make install_allbutcurvetun


On Tue, Nov 1, 2016 at 9:09 AM, erik clark <philosnef at gmail.com> wrote:

> Interestingly, bwm-ng does not give me traffic numbers for my sniff
> interface.... I am trying to get ifpps, but I dont want to have to compile
> it and would like to find a rhel6 package of it. Sadly, it isnt in EPEL's
> netsniff-ng package group.
> On Mon, Oct 31, 2016 at 7:21 PM, Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>> ifpps for generic bandwidth and pps monitoring. Never, ever, use iptraf.
>> ifpps has been written by the netsniff-ng author and it speaks for itself.
>> bwm-ng seems to be good, haven't compared the accuracy and the perf data
>> acquisition.
>> For monitoring drops
>> ethtool -S <int> to detect drops in card's FIFO and sometimes, reasons
>> for them.
>> https://github.com/netoptimizer/network-testing/blob/master/
>> bin/softnet_stat.pl
>> to detect drops at the softirq layer
>> Bro's stats.log to detect drops at the af_packet layer
>> Bro capture_loss to detect drops in all above + drops before packets
>> reach your sensor.
>> Monitoring drops is complex and there is no single metric that tells you
>> all. Some of this is true for pfring as well, people just don't know. I've
>> seen sensors with 2-3% drops (in Suricata) but 40% drops in FIFO and they
>> were like "we're doing fine". Well, so here's a bad news... ;-)
>> On Mon, Oct 31, 2016 at 5:38 PM, erik clark <philosnef at gmail.com> wrote:
>>> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
>>> since it is very reliable.
>>> Does af_packet have an equivalent for this? I dont want to use broctl
>>> capstats unless there is absolutely no other option.
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161104/34ec564a/attachment.html 

More information about the Bro mailing list