[Bro] bro-dag plugin available
Stephen Donnelly
Stephen.Donnelly at endace.com
Thu May 10 14:28:18 PDT 2018
Hi, I'm pleased to announce the release of the bro-dag, a Bro packet source plugin for live capture from Endace DAG cards.
https://github.com/endace/bro-dag
It is available via bro-pkg; note you need to have a DAG card and software installed (available with registration at the support portal https://www.endace.com/support).
With bro-pkg:
bro-pkg refresh
bro-pkg install endace/bro-dag
bro -i endace::dag0:0
The first number is the DAG card index, and the second number is the stream number on that card.
In our experience this plugin provides the best capture performance on DAG cards. The bro-dag README covers example node.cfg for hardware flow balancing across multiple workers (see github above).
There are two alternative methods for live capture using DAG cards in Bro: libpcap or PF_RING.
If libpcap is compiled on a system with DAG software installed, it will support capture from DAG devices with full kernel bypass. Using Bro's native pcap packet source and linking with the correct libpcap library:
bro -i dag0:0
If a recent PF_RING version is installed on a system with DAG software, it dynamically supports DAG cards without any manual compilation/linking required. The bro-pfring plugin can then be used for high performance capture:
bro -i pfring::dag:0:0
Dr Stephen Donnelly
CTO
www.endace.com
More information about the Bro
mailing list