[Bro-Dev] PF_RING cluster ID
Seth Hall
seth at icir.org
Wed Aug 31 12:43:09 PDT 2011
On Aug 31, 2011, at 3:24 PM, William Jones wrote:
> [worker-1]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021 -C
Heh, the hack rises it's head again (including command line stuff in the 'interface' option). We really need to get multiple interface support in broctl soon. :)
I do actually have a question though, why have you included -C? Using the -C flag when running in production on live traffic is actually pretty bad to do since you leave yourself open to trivial evasion. You should be seeing valid checksums anywhere you'd be sniffing anyway, the checksum problem only happens when a host offloads the checksum calculation to the NIC and you're sniffing traffic on your local machine.
Let me know when you are ready to upgrade to the next release when we get it out too because there is an easier way to do your per-node script. I *think* that what you're currently doing should continue to work though. Thanks for documenting the filter trick for the list. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list