[Bro] Quick pf_ring question
James Lay
jlay at slave-tothe-box.net
Fri Aug 22 10:04:16 PDT 2014
On 2014-08-21 16:11, James Lay wrote:
> Hey all!
>
> So...where/how does one utilize pf_ring via command-line/local.bro?
> I'm not having much luck finding the info...thanks for any help.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Comparison of running bro linked to system libpcap to bro links to
pf_ring via command line:
sudo bro --no-checksums -i eth0 local "Site::local_nets += {
192.168.1.0/24 }"
system libpcap: libpcap.so.0.8 =>
/usr/lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f3221f6c000)
top - 10:43:19 up 20:36, 2 users, load average: 0.42, 0.17, 0.29
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.8 us, 27.6 sy, 0.0 ni, 65.2 id, 0.0 wa, 0.4 hi, 0.0 si,
0.0 st
KiB Mem: 3082108 total, 2808360 used, 273748 free, 94848
buffers
KiB Swap: 3002364 total, 1112 used, 3001252 free. 2310580 cached
Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
COMMAND
2801 root 20 0 522304 55964 7500 S 27.5 1.8 0:11.61 bro
pf_ring: libpcap.so.1 => /opt/pfring/lib/libpcap.so.1
(0x00007fe6c42b5000)
top - 10:54:13 up 20:47, 2 users, load average: 0.05, 0.10, 0.21
Tasks: 99 total, 2 running, 97 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.1 us, 26.9 sy, 0.0 ni, 67.0 id, 0.0 wa, 0.0 hi, 0.0 si,
0.0 st
KiB Mem: 3082108 total, 2992864 used, 89244 free, 75388
buffers
KiB Swap: 3002364 total, 1568 used, 3000796 free. 1996052 cached
Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
COMMAND
5580 root 20 0 899404 576276 529768 R 29.5 18.7 0:24.32 bro
This is on a low usage link with like...one active connection (my ssh
session). Memory is higher and CPU just a smidgeon, so I'm guessing
something is working. Thought I'd fire this out for anyone thinking of
moving to pf_ring.
James
More information about the Bro
mailing list