[Bro-Dev] snaplen and drops

Martin Holste mcholste at gmail.com
Fri Oct 28 15:21:03 PDT 2011

Glad you were able to sort this out.  I use PF_RING exclusively for
packet capture, so I've not run into this before.

In the future, AF_PACKET support would be a great addition to Bro and
would bring it closer to Snort and Suricata as far as acquisition.
It's got performance reasonably close to PF_RING without having to
download anything extra.  However, you need to be running a 3.0 Linux
kernel to do software load-balancing, which is one of the reasons I
use PF_RING.

On Fri, Oct 28, 2011 at 10:56 AM, Robin Sommer <robin at icir.org> wrote:
> On Fri, Oct 28, 2011 at 10:49 +0200, you wrote:
>> If you want to use the new API and do not want to drop support for
>> libpcap < 1.0.0, you have to check the pcap version in cmake and set
>> some define for old versions (e.g. -DOLD_PCAP). Then you can have
>> something like the following in PktSrc.cc:
> Thanks for the code example, I hadn't really looked at the new API
> yet. I'm not that concerned about dropping support for libpcap < 1.
> The part I don't like is how the new parameter "buffer size" impacts
> behaviour of existing programs without given the user a hook to change
> the default. That doesn't seem right to me.
> Anyways, for Bro is probably makes most sense to address this as a
> part of a larger piece we already have on our to-do list: overhauling
> Bro's code for packet aquisition. It's in pretty bad shape right now:
> (1) the main packet loop still works around problems with non-blocking
> mode in older libpcap/OS versions; I would hope that's not necessary
> anymore. (2), we don't have a nice interface for using other packet
> sources than libpcap; we need an abstraction there. And finally (3),
> if we got an interface in to exploit further NIC-level features, like
> load-balancing, that would be pretty cool.
> Not sure when we somebody will start working on all this though.
> Robin
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

More information about the bro-dev mailing list