[Bro] Problem: Bro listening on two ethernet interfaces
Christoph Goeldi
goeldich at ee.ethz.ch
Mon May 23 09:54:00 PDT 2005
Zitat von Vern Paxson <vern at icir.org>:
>> i looked at the c-code. i runned it on different machines and
>> on various interfaces. bro still drops most of the packets
>> when i force it to listen on two interfaces.
>>
>> is it a libpcap problem?
>> a bro problem?
>> a linux problem?
>
> I believe it's a Linux problem. We do this under FreeBSD in two different
> ways, either merging the interfaces in the kernel into one logical interface
> (via a custom patch), or at user level. While the in-kernel version
> performs better, the user-level one isn't a disaster like you describe.
>
> I also recall hearing others mention that multiple interfaces under Linux
> do not work well in general. I don't use Linux, though, so can't comment
> more directly.
I found a small C-program that allows to listen on multiple interfaces and to
write the captured packets to a file:
http://www.isi.edu/~hussain/software/snoop.c
And it works!!!
I'm really not (yet) the pcap-crack. Does somebody know what's the difference
between this program and the bro implementation?
I really appreciate any help.
Cheers
Christoph
More information about the Bro
mailing list