[Bro] Problem: Bro listening on two ethernet interfaces
Vern Paxson
vern at icir.org
Tue May 10 07:38:45 PDT 2005
> i looked at the c-code. i runned it on different machines and
> on various interfaces. bro still drops most of the packets
> when i force it to listen on two interfaces.
>
> is it a libpcap problem?
> a bro problem?
> a linux problem?
I believe it's a Linux problem. We do this under FreeBSD in two different
ways, either merging the interfaces in the kernel into one logical interface
(via a custom patch), or at user level. While the in-kernel version
performs better, the user-level one isn't a disaster like you describe.
I also recall hearing others mention that multiple interfaces under Linux
do not work well in general. I don't use Linux, though, so can't comment
more directly.
Vern
More information about the Bro
mailing list