[
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22004#comment-22004
]
Michal Purzynski commented on BIT-1363:
---------------------------------------
How are you testing it?
Question: would the conn_state = SF and history = ShADadfR if packets went two
different processes, each direction? I think not, and I use currently a
clustered AF_PACKET on a stage system (bro-master) and that's how my
connections look like.
Also, more "traditional' IDS like Suricata work really well with AF_PACKET
clustering and yes, they are doing session reassembly - and each thread gets
both directions.
Have you enabled clustering, actually?
> Clustered AF_PACKET support
> ---------------------------
>
> Key: BIT-1363
> URL: https://bro-tracker.atlassian.net/browse/BIT-1363
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Affects Versions: git/master
> Reporter: Michal Purzynski
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi
> worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but
> having a direct support for multi-worker load balancing would allow to avoid
> the pf_ring for many deployments with the traffic level where DNA / ZC /
> Myricom / DAG is not required.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-04-018#70102)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
