[Bro] Bro and pf_ring
Seth Hall
seth at icir.org
Thu Jan 7 13:15:39 PST 2016
> On Jan 7, 2016, at 10:49 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>
> Now i've seen a plugin for bro able to provide native pf_ring support
>
> https://github.com/bro/bro-plugins/tree/master/pf_ring
>
> Sorry for the lazy question, but which are the benefits of this plugin?
You likely won’t see much of a benefit to using the plugin over using the libpcap wrapper honestly. Doing the single layer of indirection that is caused by the wrapper doesn’t add up to much overhead. Bro actually *doing* things causes most of the overhead.
�
The other small thing to keep in mind is that I haven’t heard many experiences of people using the plugin so the “not widely used code” caveat applies. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list