[Bro] A few questions

Robin Sommer robin at icir.org
Tue Feb 2 08:24:46 PST 2010


On Tue, Feb 02, 2010 at 10:56 -0500, Powell, Scott wrote:

> My concern is these machines have 2 x AMD Opteron Quad Core 2.1 GHz
> processors and yet Bro cannot keep up with the out of the box policy
> configuration. Also, it seems all of my analysis is being done on
> one core of the worker with the TAP. Why isn't the analysis being
> spread across the other workers? They seem to be sitting idle.

I'm not sure I have fully understood how you set things up, but you
need some external way of distributing the traffic across the
workers. If the workers are running on separate PCs, that's
typically some form of load-balancing frontend device. If they all
run on the same box (in order to leverage multiple core), you can
try some BPF tricks. 

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list