Hi,
We run bro by specifying a filter like:
1. -f "tcp" or
2. -f "tcp or udp"
Will one of these rules theoretically drop fewer packets than the other
on heavy load ? Also will one execute faster than the other ?
Put in another way if i specify -f "tcp", then libpcap filters only tcp
filters from the lower layer, and if change the filter by specifying -f
"tcp or udp" then libpcap filters both tcp and udp from the lower layer.
Would this change slow down Bro a bit ?
If libpcap is losing packets due to the enormous traffic in a network,
can it be avoided by making the filter more specific ?
thanks
Ashley