[Bro] Problem: Bro listening on two ethernet interfaces

Tim Brooks tbrooks at ncsa.uiuc.edu
Tue May 10 08:01:29 PDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ours works fine on linux with the interfaces set in etc/bro.cfg like:

BRO_CAPTURE_INTERFACE="eth2 eth3"

Tim Brooks

Vern Paxson wrote:

>>i looked at the c-code. i runned it on different machines and
>>on various interfaces. bro still drops most of the packets
>>when i force it to listen on two interfaces.
>>
>>is it a libpcap problem?
>>a bro problem?
>>a linux problem?
>
>
>I believe it's a Linux problem. We do this under FreeBSD in two different
>ways, either merging the interfaces in the kernel into one logical interface
>(via a custom patch), or at user level. While the in-kernel version
>performs better, the user-level one isn't a disaster like you describe.
>
>I also recall hearing others mention that multiple interfaces under Linux
>do not work well in general. I don't use Linux, though, so can't comment
>more directly.
>
> Vern
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


- --
Tim Brooks
Security Engineer

National Center for Supercomputing Applications
605 East Springfield Avenue   Champaign, IL 61820


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCgMzJZsl1Kn8xw9YRAo5SAJwOnyv8SRrZd6M0j+ulW4XG1zcHXwCgwMF2
RolyqC5DpSo+7aCct02Oqms=
=in3B
-----END PGP SIGNATURE-----




More information about the Bro mailing list