[Bro] af_packet/pf_ring equivalency

Michał Purzyński michalpurzynski1 at gmail.com
Mon Oct 31 16:21:49 PDT 2016


ifpps for generic bandwidth and pps monitoring. Never, ever, use iptraf.
ifpps has been written by the netsniff-ng author and it speaks for itself.

bwm-ng seems to be good, haven't compared the accuracy and the perf data
acquisition.


For monitoring drops

ethtool -S <int> to detect drops in card's FIFO and sometimes, reasons for
them.

https://github.com/netoptimizer/network-testing/blob/master/bin/softnet_stat.pl

to detect drops at the softirq layer

Bro's stats.log to detect drops at the af_packet layer

Bro capture_loss to detect drops in all above + drops before packets reach
your sensor.

Monitoring drops is complex and there is no single metric that tells you
all. Some of this is true for pfring as well, people just don't know. I've
seen sensors with 2-3% drops (in Suricata) but 40% drops in FIFO and they
were like "we're doing fine". Well, so here's a bad news... ;-)



On Mon, Oct 31, 2016 at 5:38 PM, erik clark <philosnef at gmail.com> wrote:

> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
> since it is very reliable.
>
> Does af_packet have an equivalent for this? I dont want to use broctl
> capstats unless there is absolutely no other option.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161101/c2b81097/attachment.html 


More information about the Bro mailing list