[Bro] af_packet/pf_ring equivalency
dwdixon at umich.edu
Fri Nov 4 09:28:06 PDT 2016
The documentation for installing netsniff-ng is not great so I don't blame
you, however, it's not all that bad if you just run the one liner to
install all the dependancies for your respective distro and then
compile/build just ifpps using the following:
One-liner installation for *all* dependencies on Debian:
$ sudo apt-get install ccache flex bison libnl-3-dev \
libnl-genl-3-dev libnl-route-3-dev libgeoip-dev \
libnetfilter-conntrack-dev libncurses5-dev liburcu-dev \
libnacl-dev libpcap-dev zlib1g-dev libcli-dev libnet1-dev
One-liner installation for *all* dependencies on Fedora:
$ sudo yum install ccache flex bison ccache libnl3-devel \
GeoIP-devel libnetfilter_conntrack-devel ncurses-devel \
userspace-rcu-devel nacl-devel libpcap-devel zlib-devel \
sudo make ifpps
sudo make ifpps_install
OR (I'd recommend this if you want more tools but the tunneling stuff, FYI
it also creates dependency issues [at least on Fedora based distros] so
exclude it using this)
sudo make allbutcurvetun
sudo make install_allbutcurvetun
On Tue, Nov 1, 2016 at 9:09 AM, erik clark <philosnef at gmail.com> wrote:
> Interestingly, bwm-ng does not give me traffic numbers for my sniff
> interface.... I am trying to get ifpps, but I dont want to have to compile
> it and would like to find a rhel6 package of it. Sadly, it isnt in EPEL's
> netsniff-ng package group.
> On Mon, Oct 31, 2016 at 7:21 PM, Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>> ifpps for generic bandwidth and pps monitoring. Never, ever, use iptraf.
>> ifpps has been written by the netsniff-ng author and it speaks for itself.
>> bwm-ng seems to be good, haven't compared the accuracy and the perf data
>> For monitoring drops
>> ethtool -S <int> to detect drops in card's FIFO and sometimes, reasons
>> for them.
>> to detect drops at the softirq layer
>> Bro's stats.log to detect drops at the af_packet layer
>> Bro capture_loss to detect drops in all above + drops before packets
>> reach your sensor.
>> Monitoring drops is complex and there is no single metric that tells you
>> all. Some of this is true for pfring as well, people just don't know. I've
>> seen sensors with 2-3% drops (in Suricata) but 40% drops in FIFO and they
>> were like "we're doing fine". Well, so here's a bad news... ;-)
>> On Mon, Oct 31, 2016 at 5:38 PM, erik clark <philosnef at gmail.com> wrote:
>>> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
>>> since it is very reliable.
>>> Does af_packet have an equivalent for this? I dont want to use broctl
>>> capstats unless there is absolutely no other option.
>>> Bro mailing list
>>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro