[Bro] PF_PACKET load balancing

Albert Zaharovits albert.zaharovits at gmail.com
Fri Jun 26 01:04:38 PDT 2015


Hello,

I am experimenting with several OpenSource IDS on Linux.
My concern is load balancing across mmap-ed packet rings.
Some of them have AF_PACKET socket load balancing (Suricata) while others don’t, and rely on PF_RING (Bro).
When I say load balancing I mean PACKET_FANOUT sock option.

The following setup looks like a silver bullet for me:
You compile them (the IDS) with the latest version of pcap, and use pcap filters to achieve load balancing.

Am I missing something?

Best,
Albert


More information about the Bro mailing list