We run bro by specifying a filter like:
1. -f "tcp" or
2. -f "tcp or udp"
Will one of these rules theoretically drop fewer packets than the other
on heavy load ? Also will one execute faster than the other ?
Well, the first captures <= as many packets as the second, so it may be a
bit better. *But* you usually shouldn't be using -f at all; the packets to
capture are set by the "capture_filter" and "restrict_filter" policy
variables, and if you look in the analyzers (e.g., FTP, login) in the
policy/*.bro files, you'll see that they already specify tighter filters
than the above. Either of the above will capture nearly all the traffic
on the link; for high-speed monitoring, Bro instead relies on filtering
out much of the traffic, capturing just TCP SYN/FIN/RST packets for general
TCP analysis, and protocol-specific traffic (e.g., port 21/tcp for FTP)
for the analyzers you instantiate.
If libpcap is losing packets due to the enormous traffic in a network,
can it be avoided by making the filter more specific ?