[Bro] Problem: Bro listening on two ethernet interfaces
Jose M. Gonzalez
chema at cs.berkeley.edu
Mon May 23 11:49:44 PDT 2005
Christoph,
The C-program you mention opens several interfaces and select()'s its
descriptors. A per-packet call to select() can be too expensive in
high-volume environments. Moreover, it's not clear select() is the
cheapest way to attend several descriptors. If you want to play with
this, Kohler's click FromDevice element permits selecting between
select(), poll(), and FreeBSD's kevent() (though the latter may be buggy
when used with BPF devices).
http://pdos.csail.mit.edu/click/
FYI, Bro tries to limit the calls to select() to just those instants
when all the sources are dry (or every often; check IOSource.cc and
PktSrc.cc, where all the pcap stuff is located). Also, Bro orders
packets received from different sources by their timestamp (the
C-program is biased to processing packets from the first interface).
BTW, you can't compare this program with Bro. The former just dumps
packets to a file. Bro is a stateful intrusion detection system.
-Chema
Christoph Goeldi wrote:
> Zitat von Vern Paxson <vern at icir.org>:
>
> >>i looked at the c-code. i runned it on different machines and
> >>on various interfaces. bro still drops most of the packets
> >>when i force it to listen on two interfaces.
> >>
> >>is it a libpcap problem?
> >>a bro problem?
> >>a linux problem?
> >
> >I believe it's a Linux problem. We do this under FreeBSD in two different
> >ways, either merging the interfaces in the kernel into one logical
> >interface
> >(via a custom patch), or at user level. While the in-kernel version
> >performs better, the user-level one isn't a disaster like you describe.
> >
> >I also recall hearing others mention that multiple interfaces under Linux
> >do not work well in general. I don't use Linux, though, so can't comment
> >more directly.
>
> I found a small C-program that allows to listen on multiple interfaces and
> to
> write the captured packets to a file:
> http://www.isi.edu/~hussain/software/snoop.c
>
> And it works!!!
> I'm really not (yet) the pcap-crack. Does somebody know what's the
> difference
> between this program and the bro implementation?
>
> I really appreciate any help.
>
> Cheers
> Christoph
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list