[Bro] Problem: Bro listening on two ethernet interfaces
Jose M. Gonzalez
chema at cs.berkeley.edu
Mon May 23 17:45:12 PDT 2005
Christoph Göldi wrote:
> > BTW, you can't compare this program with Bro. The former just dumps
> > packets to a file. Bro is a stateful intrusion detection system.
>
> I know that this 300-lines-program has not the same functionality
> like bro! ;-)
> I just try to understand why the capturing of traffic on multiple
> interfaces doesn't work with Linux.
Slightly offtopic, I had a related problem capturing traffic in Linux
(RHEL WS 4 running 2.6.9-5.ELsmp), in just one interface at the same
time.
I tried injecting packets into a network device, and capturing them in
the same machine (tcpreplay/tcpdump). In both cases, I used a 230 Mbps,
real-traffic trace that lasts 3.4 seconds (~250000 packets).
When I used a real device (Intel PRO/100 Ethernet Driver), tcpreplay got
slowed down to 90 Mbps, and tcpdump got duplicated packets (not that many,
~262 out of 250000).
When I used a virtual device (VMWare's vmnet), tcpdump lost ~66 consecutive
packets out of the 250000, which were reported as "dropped by kernel."
Maybe somebody has some ideas.
-Chema
More information about the Bro
mailing list