Bro: effect of filter on speed/drops
Vern Paxson
vern at ee.lbl.gov
Tue Apr 10 01:29:13 PDT 2001
> We run bro by specifying a filter like:
> 1. -f "tcp" or
> 2. -f "tcp or udp"
>
> Will one of these rules theoretically drop fewer packets than the other
> on heavy load ? Also will one execute faster than the other ?
Well, the first captures <= as many packets as the second, so it may be a
bit better. *But* you usually shouldn't be using -f at all; the packets to
capture are set by the "capture_filter" and "restrict_filter" policy
variables, and if you look in the analyzers (e.g., FTP, login) in the
policy/*.bro files, you'll see that they already specify tighter filters
than the above. Either of the above will capture nearly all the traffic
on the link; for high-speed monitoring, Bro instead relies on filtering
out much of the traffic, capturing just TCP SYN/FIN/RST packets for general
TCP analysis, and protocol-specific traffic (e.g., port 21/tcp for FTP)
for the analyzers you instantiate.
> If libpcap is losing packets due to the enormous traffic in a network,
> can it be avoided by making the filter more specific ?
Definitely!
Vern
More information about the Bro
mailing list