[Bro-Dev] PF_RING cluster ID

Seth Hall seth at icir.org
Wed Aug 31 12:43:09 PDT 2011

On Aug 31, 2011, at 3:24 PM, William Jones wrote:

> [worker-1]
> type=worker
> host=mojo1.tacc.utexas.edu
> interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C

Heh, the hack rises it's head again (including command line stuff in the 'interface' option). We really need to get multiple interface support in broctl soon. :)

I do actually have a question though, why have you included -C?  Using the -C flag when running in production on live traffic is actually pretty bad to do since you leave yourself open to trivial evasion.  You should be seeing valid checksums anywhere you'd be sniffing anyway, the checksum problem only happens when a host offloads the checksum calculation to the NIC and you're sniffing traffic on your local machine.

Let me know when you are ready to upgrade to the next release when we get it out too because there is an easier way to do your per-node script.  I *think* that what you're currently doing should continue to work though.  Thanks for documenting the filter trick for the list. :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list