[Bro] pf_ring vrs PF_RING::$iface
erik clark
philosnef at gmail.com
Mon Dec 5 05:33:25 PST 2016
So, having built bro with the pf_ring plugin and pf_ring (libpcap pfring),
I have found that the plugin does not seem to be working as expected.
When I run
interface=$iface
lb_method=pf_ring
lb_procs=18
I get much better performace and less "weird" stuff like rapidly growing
conn and weird logs.
When I use
interface=pf_ring::$iface
lb_method-=(pf_ring or custom, doesnt matter which I choose)
lb_procs=18
my conn logs go crazy. Additionally, some logs which normally grow at 1 to
2 meg a second grow at 1/10th of that. Is there something undocumented
about the native pf_ring plugin that I am unaware of which would lead to
this behavioral discrepency? Is this also rooted in RHEL7 kernel land
issues?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161205/37f476b8/attachment.html
More information about the Bro
mailing list