[Bro] Bro performance issues
Martin Holste
mcholste at gmail.com
Thu Nov 3 15:10:54 PDT 2011
Actually, I recommend setting up a bonded interface, which recent
PF_RING's will happily monitor.
On Thu, Nov 3, 2011 at 4:30 PM, William Jones <jones at tacc.utexas.edu> wrote:
> I do bro mentoring with a tap. That means that each bro instances needs to read from two Ethernet interface to see tranmit and receive side the same tcp connection. The pcap filters insure that this happens. What happens when I use the PF_RING pcap interface with bro. Will each bro worker see the same connection pair?
>
> -----Original Message-----
> From: Seth Hall [mailto:seth at icir.org]
> Sent: Thursday, November 03, 2011 2:49 PM
> To: William Jones
> Cc: 'Tomer Teller'; Martin Holste; bro at bro-ids.org
> Subject: Re: [Bro] Bro performance issues
>
>
> On Nov 3, 2011, at 3:40 PM, William Jones wrote:
>
>> Don't you need more foo to get PF_RING to load balance it looks like you have to bind a bro instances to a cpu?
>
> Nope, and if you build Bro against the PF_RING libpcap wrapper BroControl automatically takes care of everything to begin load balancing. I'm still waiting to hear back from Tomer with the output from the commands I asked him for earlier to actually figure out what's going wrong for him.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
More information about the Bro
mailing list