[Bro] PF_RING pfring_open() for Endace DAG
Benjamin Wood
ben.bt.wood at gmail.com
Tue Mar 11 16:01:12 PDT 2014
(Currently I'm using Bro 2.1)
Can we change PF_RING mode to use pfring_open() from
/usr/local/include/pf_ring.h instead of libpcap? My rational follows, and I
would really like to see this get into the main dist.
(I've not looked into modifying libpcap-ring1.1.1 yet, but it's probably
not be possible due to how information is delivered from the dag interface.)
According to the NTOP website, it would be just as fast as using
libpcap-ring.
(see: http://www.ntop.org/products/pf_ring/ under "Who needs PF_RING?")
I'm having trouble getting the libpcap-ring1.1.1 from PF_RING to use my DAG
interfaces. (Operationally I have to use PF_RING for the specific stream,
because I'm already using the DAG to split the streams for another
application, and the DAG is limited to only doing this once.)
When using the pf_ring enabled libpcap on a normal interface, it will open
that interface with pf_ring. As it turns out this is not the behavior on a
DAG stream. This is a problem because bro relies on using libpcap to
interface with the DAG.
PF_RING does support the DAG, but you must use the pf_ring library to open
the interface with something like pfring_open("dag:dagX:Y") instead of
trying to use libpcap.
There is an example of pfcount (pf_ring) and pcount (libpcap) in the
PF_RING/userland/examples directory that illustrates how to use the PF_RING
API.
What are your thoughts?
Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140311/bffdd5bc/attachment.html
More information about the Bro
mailing list