Hi all,
i'm using bro with the pf_ring driver in a cluster architecture as
written in the link below
https://www.bro.org/documentation/load-balancing.html
Now i've seen a plugin for bro able to provide native pf_ring support
https://github.com/bro/bro-plugins/tree/master/pf_ring
Sorry for the lazy question, but which are the benefits of this plugin?
Thanks
Hi Vito,
If you’re using Bro 2.4 or later, the pf_ring plugin is included in the stock Bro distribution. If that’s the case, then you do not need the plugin from github.
The plugin provides packet access when your setup includes PF_RING and you’re using Bro 2.4 or above. If you’re using Bro 2.3 or earlier, plugins don’t apply as the architecture didn’t support them.
When Bro introduced I/O sources with 2.4, the plugin architecture was created; Bro 2.3 didn’t use plugins for packet access. Check out the other Bro 2.4 plugins in /aux/bro-plugins.
You likely won’t see much of a benefit to using the plugin over using the libpcap wrapper honestly. Doing the single layer of indirection that is caused by the wrapper doesn’t add up to much overhead. Bro actually *doing* things causes most of the overhead.
The other small thing to keep in mind is that I haven’t heard many experiences of people using the plugin so the “not widely used code” caveat applies. 
.Seth