[Bro] af_packet/pf_ring equivalency
Drew Dixon
dwdixon at umich.edu
Fri Nov 4 09:28:06 PDT 2016
The documentation for installing netsniff-ng is not great so I don't blame
you, however, it's not all that bad if you just run the one liner to
install all the dependancies for your respective distro and then
compile/build just ifpps using the following:
One-liner installation for *all* dependencies on Debian:
$ sudo apt-get install ccache flex bison libnl-3-dev \
libnl-genl-3-dev libnl-route-3-dev libgeoip-dev \
libnetfilter-conntrack-dev libncurses5-dev liburcu-dev \
libnacl-dev libpcap-dev zlib1g-dev libcli-dev libnet1-dev
One-liner installation for *all* dependencies on Fedora:
$ sudo yum install ccache flex bison ccache libnl3-devel \
GeoIP-devel libnetfilter_conntrack-devel ncurses-devel \
userspace-rcu-devel nacl-devel libpcap-devel zlib-devel \
libcli-devel libnet-devel
Compile/build options:
./configure
sudo make ifpps
sudo make ifpps_install
OR (I'd recommend this if you want more tools but the tunneling stuff, FYI
it also creates dependency issues [at least on Fedora based distros] so
exclude it using this)
./configure
sudo make allbutcurvetun
sudo make install_allbutcurvetun
https://github.com/netsniff-ng/netsniff-ng
https://github.com/netsniff-ng/netsniff-ng/blob/master/INSTALL
On Tue, Nov 1, 2016 at 9:09 AM, erik clark <philosnef at gmail.com> wrote:
> Interestingly, bwm-ng does not give me traffic numbers for my sniff
> interface.... I am trying to get ifpps, but I dont want to have to compile
> it and would like to find a rhel6 package of it. Sadly, it isnt in EPEL's
> netsniff-ng package group.
>
> On Mon, Oct 31, 2016 at 7:21 PM, Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> ifpps for generic bandwidth and pps monitoring. Never, ever, use iptraf.
>> ifpps has been written by the netsniff-ng author and it speaks for itself.
>>
>> bwm-ng seems to be good, haven't compared the accuracy and the perf data
>> acquisition.
>>
>>
>> For monitoring drops
>>
>> ethtool -S <int> to detect drops in card's FIFO and sometimes, reasons
>> for them.
>>
>> https://github.com/netoptimizer/network-testing/blob/master/
>> bin/softnet_stat.pl
>>
>> to detect drops at the softirq layer
>>
>> Bro's stats.log to detect drops at the af_packet layer
>>
>> Bro capture_loss to detect drops in all above + drops before packets
>> reach your sensor.
>>
>> Monitoring drops is complex and there is no single metric that tells you
>> all. Some of this is true for pfring as well, people just don't know. I've
>> seen sensors with 2-3% drops (in Suricata) but 40% drops in FIFO and they
>> were like "we're doing fine". Well, so here's a bad news... ;-)
>>
>>
>>
>> On Mon, Oct 31, 2016 at 5:38 PM, erik clark <philosnef at gmail.com> wrote:
>>
>>> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
>>> since it is very reliable.
>>>
>>> Does af_packet have an equivalent for this? I dont want to use broctl
>>> capstats unless there is absolutely no other option.
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161104/34ec564a/attachment.html
More information about the Bro
mailing list