[Bro] Bro performance issues
William Jones
jones at tacc.utexas.edu
Thu Nov 3 14:30:07 PDT 2011
I do bro mentoring with a tap. That means that each bro instances needs to read from two Ethernet interface to see tranmit and receive side the same tcp connection. The pcap filters insure that this happens. What happens when I use the PF_RING pcap interface with bro. Will each bro worker see the same connection pair?
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Thursday, November 03, 2011 2:49 PM
To: William Jones
Cc: 'Tomer Teller'; Martin Holste; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues
On Nov 3, 2011, at 3:40 PM, William Jones wrote:
> Don't you need more foo to get PF_RING to load balance it looks like you have to bind a bro instances to a cpu?
Nope, and if you build Bro against the PF_RING libpcap wrapper BroControl automatically takes care of everything to begin load balancing. I'm still waiting to hear back from Tomer with the output from the commands I asked him for earlier to actually figure out what's going wrong for him.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list