[
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22402#comment-22402
]
Jan Grashoefer commented on BIT-1363:
-------------------------------------
Hi, I experienced the same issues and wrote a minimal example using libpcap and
setsockopt, as I suspected it to interfere. Based on
[http://www.binarytides.com/packet-sniffer-code-c-libpcap-linux-sockets/] and
[https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt] I came to
the attached result: [^pcap.c] With this example I was able to reproduce the
behavior: It forks 4 processes and for each creates a log (<pid>.log) with
source/destination address (ordered) and port if available.
All in all I came to the same conclusion as Michal. Therefore I am trying to
write a small POC of an AF_Packet plugin for Bro. If you think you can fix the
issue using libpcap I would be very curious about. Maybe you can keep us up to
date on your research.
> Clustered AF_PACKET support
> ---------------------------
>
> Key: BIT-1363
> URL: https://bro-tracker.atlassian.net/browse/BIT-1363
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Affects Versions: git/master
> Reporter: Michal Purzynski
> Attachments: pcap.c
>
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi
> worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but
> having a direct support for multi-worker load balancing would allow to avoid
> the pf_ring for many deployments with the traffic level where DNA / ZC /
> Myricom / DAG is not required.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
