[Bro] Problem: Bro listening on two ethernet interfaces
Christoph Göldi
goeldich at ee.ethz.ch
Mon May 23 13:28:10 PDT 2005
Hi Chema
> The C-program you mention opens several interfaces and select()'s its
> descriptors. A per-packet call to select() can be too expensive in
> high-volume environments. Moreover, it's not clear select() is the
> cheapest way to attend several descriptors. If you want to play with
> this, Kohler's click FromDevice element permits selecting between
> select(), poll(), and FreeBSD's kevent() (though the latter may be buggy
> when used with BPF devices).
>
> http://pdos.csail.mit.edu/click/
>
> FYI, Bro tries to limit the calls to select() to just those instants
> when all the sources are dry (or every often; check IOSource.cc and
> PktSrc.cc, where all the pcap stuff is located). Also, Bro orders
> packets received from different sources by their timestamp (the
> C-program is biased to processing packets from the first interface).
Thank you for your explanations. I don't understand the details of
these possibilities when capturing packets. But I will try to learn
these things to find the problem which appears when bro is listening
on multiple interfaces.
> BTW, you can't compare this program with Bro. The former just dumps
> packets to a file. Bro is a stateful intrusion detection system.
I know that this 300-lines-program has not the same functionality
like bro! ;-)
I just try to understand why the capturing of traffic on multiple
interfaces doesn't work with Linux.
Thank you for your time
Christoph
> Christoph Goeldi wrote:
>> Zitat von Vern Paxson <vern at icir.org>:
>>
>> >> i looked at the c-code. i runned it on different machines and
>> >> on various interfaces. bro still drops most of the packets
>> >> when i force it to listen on two interfaces.
>> >>
>> >> is it a libpcap problem?
>> >> a bro problem?
>> >> a linux problem?
>> >
>> > I believe it's a Linux problem. We do this under FreeBSD in two
>> > different ways, either merging the interfaces in the kernel into one
>> > logical interface
>> > (via a custom patch), or at user level. While the in-kernel version
>> > performs better, the user-level one isn't a disaster like you describe.
>> >
>> > I also recall hearing others mention that multiple interfaces under
>> > Linux do not work well in general. I don't use Linux, though, so
>> > can't comment more directly.
>>
>> I found a small C-program that allows to listen on multiple interfaces
>> and to
>> write the captured packets to a file:
>> http://www.isi.edu/~hussain/software/snoop.c
>>
>> And it works!!!
>> I'm really not (yet) the pcap-crack. Does somebody know what's the
>> difference
>> between this program and the bro implementation?
>>
>> I really appreciate any help.
>>
>> Cheers
>> Christoph
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list