Strange question
rmkml
rmkml at wanadoo.fr
Sat Feb 21 13:49:54 PST 2004
Hi,
I little tested bro on my fbsd v49R box,
I send with tcpreplay on another box (linux) trafic 50Mbits (/8 for
MBytes) [Cross cable with two box]
and if I send 'systat 1 -vmstat' on freebsd,
I read on interrupt fxp1 case : ~6000-6500 interrupt
ok is good because 6500 * 8 = ~50Mbits
My strange question is,
why if (I killed bro) and start tcpdump v381 (or 372 or snort or prelude)
I read on interrupt fxp1 case : ~4200 interrupt
this is not good because 4200 * 8 = 33.6Mbits
I have many repeat this and same results.
same results if change sysctl bpf buf.
This is not a question to bro, but if anybody to explain me ?
I compiled bro 0.8a70 current with libpcap 081.
I compiled freebsd kernel with HZ=1000.
(my kernel not have polling compiled/enabled,
and my fxp1 have uniq irq)
Regards
Rmkml at Wanadoo.fr
More information about the Bro
mailing list