[Bro] Problem: Bro listening on two ethernet interfaces

Jose M. Gonzalez chema at cs.berkeley.edu
Mon May 23 11:49:44 PDT 2005 

Christoph, 

The C-program you mention opens several interfaces and select()'s its 
descriptors. A per-packet call to select() can be too expensive in 
high-volume environments. Moreover, it's not clear select() is the 
cheapest way to attend several descriptors. If you want to play with 
this, Kohler's click FromDevice element permits selecting between 
select(), poll(), and FreeBSD's kevent() (though the latter may be buggy 
when used with BPF devices). 

http://pdos.csail.mit.edu/click/

FYI, Bro tries to limit the calls to select() to just those instants 
when all the sources are dry (or every often; check IOSource.cc and 
PktSrc.cc, where all the pcap stuff is located). Also, Bro orders 
packets received from different sources by their timestamp (the 
C-program is biased to processing packets from the first interface). 

BTW, you can't compare this program with Bro. The former just dumps 
packets to a file. Bro is a stateful intrusion detection system. 

-Chema



Christoph Goeldi wrote:
> Zitat von Vern Paxson <vern at icir.org>:
> 
> >>i looked at the c-code. i runned it on different machines and
> >>on various interfaces. bro still drops most of the packets
> >>when i force it to listen on two interfaces.
> >>
> >>is it a libpcap problem?
> >>a bro problem?
> >>a linux problem?
> >
> >I believe it's a Linux problem.  We do this under FreeBSD in two different
> >ways, either merging the interfaces in the kernel into one logical 
> >interface
> >(via a custom patch), or at user level.  While the in-kernel version
> >performs better, the user-level one isn't a disaster like you describe.
> >
> >I also recall hearing others mention that multiple interfaces under Linux
> >do not work well in general.  I don't use Linux, though, so can't comment
> >more directly.
> 
> I found a small C-program that allows to listen on multiple interfaces and 
> to
> write the captured packets to a file:
> http://www.isi.edu/~hussain/software/snoop.c
> 
> And it works!!!
> I'm really not (yet) the pcap-crack. Does somebody know what's the 
> difference
> between this program and the bro implementation?
> 
> I really appreciate any help.
> 
> Cheers
> Christoph
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list