[Bro] Bro + pf_ring on a rasberry pi 3

Alex Kefallonitis al.kefallonitis at gmail.com
Tue Feb 28 13:55:54 PST 2017


No i haven't how do i enable it? Just Compile bro with
pcap=/opt/pfring/lib/libpcap.so ? It would be faster than standard libpcap
but not as fast as pf_ring?

The bad checksum staff is weird but i also tried with -C option with no
difference..anyway the whole problem seems pretty unsual

2017-02-28 23:48 GMT+02:00 Azoff, Justin S <jazoff at illinois.edu>:

>
> > On Feb 28, 2017, at 4:37 PM, Alex Kefallonitis <
> al.kefallonitis at gmail.com> wrote:
> >
> > pi at raspberrypi:~/bro-test $ cat reporter.log
> > #separator \x09
> > #set_separator    ,
> > #empty_field    (empty)
> > #unset_field    -
> > #path    reporter
> > #open    2017-02-28-21-09-35
> > #fields    ts    level    message    location
> > #types    time    enum    string    string
> > 1488316175.157715    Reporter::INFO    received termination signal
> (empty)
> > 1488316175.157715    Reporter::INFO    674 packets received on interface
> eth0, 0 dropped    (empty)
> > #close    2017-02-28-21-09-35
> >
>
> ah, well that's not so bad.
>
>
> The entries that you pasted from your conn.log before only had "^c" for
> history, which is
>
>         ## ^       connection direction was flipped by Bro's heuristic
>         ## c       packet with a bad checksum
>
>
> have you tried bro using the libpcap that comes with pf_ring?
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170228/44277c40/attachment.html 


More information about the Bro mailing list