[Bro] af_packet/pf_ring equivalency

Tue Nov 1 06:09:59 PDT 2016

Interestingly, bwm-ng does not give me traffic numbers for my sniff
interface.... I am trying to get ifpps, but I dont want to have to compile
it and would like to find a rhel6 package of it. Sadly, it isnt in EPEL's
netsniff-ng package group.

On Mon, Oct 31, 2016 at 7:21 PM, Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:

> ifpps for generic bandwidth and pps monitoring. Never, ever, use iptraf.
> ifpps has been written by the netsniff-ng author and it speaks for itself.
>
> bwm-ng seems to be good, haven't compared the accuracy and the perf data
> acquisition.
>
>
> For monitoring drops
>
> ethtool -S <int> to detect drops in card's FIFO and sometimes, reasons for
> them.
>
> https://github.com/netoptimizer/network-testing/
> blob/master/bin/softnet_stat.pl
>
> to detect drops at the softirq layer
>
> Bro's stats.log to detect drops at the af_packet layer
>
> Bro capture_loss to detect drops in all above + drops before packets reach
> your sensor.
>
> Monitoring drops is complex and there is no single metric that tells you
> all. Some of this is true for pfring as well, people just don't know. I've
> seen sensors with 2-3% drops (in Suricata) but 40% drops in FIFO and they
> were like "we're doing fine". Well, so here's a bad news... ;-)
>
>
>
> On Mon, Oct 31, 2016 at 5:38 PM, erik clark <philosnef at gmail.com> wrote:
>
>> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
>> since it is very reliable.
>>
>> Does af_packet have an equivalent for this? I dont want to use broctl
>> capstats unless there is absolutely no other option.
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161101/24661246/attachment-0001.html 