[Bro] Bro performance issues

Seth Hall seth at icir.org
Mon Oct 31 06:05:32 PDT 2011


On Oct 31, 2011, at 8:51 AM, Tomer Teller wrote:

> I want to load balance my traffic between 2 cores using the mentioned restrict filter (due to NAT, maybe it will be wise to filter by Source port, even -> worker-1, odd -> worker-2)

Use this....

event bro_init()
	{
	if ( peer_description == "worker-1" )
		restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };
	if ( peer_description == "worker-2" )
		restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 1" };
	}

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list