[Bro] af_packet/pf_ring equivalency
michalpurzynski1 at gmail.com
Mon Oct 31 16:21:49 PDT 2016
ifpps for generic bandwidth and pps monitoring. Never, ever, use iptraf.
ifpps has been written by the netsniff-ng author and it speaks for itself.
bwm-ng seems to be good, haven't compared the accuracy and the perf data
For monitoring drops
ethtool -S <int> to detect drops in card's FIFO and sometimes, reasons for
to detect drops at the softirq layer
Bro's stats.log to detect drops at the af_packet layer
Bro capture_loss to detect drops in all above + drops before packets reach
Monitoring drops is complex and there is no single metric that tells you
all. Some of this is true for pfring as well, people just don't know. I've
seen sensors with 2-3% drops (in Suricata) but 40% drops in FIFO and they
were like "we're doing fine". Well, so here's a bad news... ;-)
On Mon, Oct 31, 2016 at 5:38 PM, erik clark <philosnef at gmail.com> wrote:
> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
> since it is very reliable.
> Does af_packet have an equivalent for this? I dont want to use broctl
> capstats unless there is absolutely no other option.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro