[Bro-Dev] snaplen and drops

Martin Holste mcholste at gmail.com
Tue Nov 1 18:51:09 PDT 2011

> I'm a bit puzzled. If I understand things correctly, libpcap-1.0.0 uses AF_PACKET by default (after checking that MMAP support is available in the running kernel).

I don't think that's how it works, but I'm not a kernel-hacking guru.
The reason I'm pretty sure it doesn't work that way is that both Snort
and Suricata IDS include separate data acquisition code for libpcap
and af_packet, which is nonsensical if you can get af_packet via
libpcap natively.  I did a bit of Googling and cannot find anything
definitive one way or the other.

> Cool, I wasn't aware of load balancing features in the standard kernel. Did you do some experiments to compare the standard kernel load-balancing to the one provided by PF_RING?

None of the major distros are using the 3.0 kernel yet, and I don't
have time to mess around with the dev kernels, so I'm without any
experimental data for you.

More information about the bro-dev mailing list