i'm still working on my problem described before.
and i have still no idea where i have to search.
i looked at the c-code. i runned it on different machines and
on various interfaces. bro still drops most of the packets
when i force it to listen on two interfaces.
is it a libpcap problem?
a bro problem?
a linux problem?
I haven't used multiple interfaces myself yet, but in general
capturing seems to be more problematic on Linux than on FreeBSD.
With a stock Linux kernel, the performance is actually rather bad.
It works much better with Phil Wood's mmap pcap[1]. We've also
experimented with Luca Deri's RING patch, but there were some
strange problems (like not filtering correctly), and it doesn't
support SMP systems.
That said, could you try configuring Bro with --enable-selectloop
and see if that changes anything?
Robin
[1] Although rather recently I have encountered some weird
timestamps when using it...
on various interfaces. bro still drops most of the packets
when i force it to listen on two interfaces.
I haven't used multiple interfaces myself yet, but in general
capturing seems to be more problematic on Linux than on FreeBSD.
With a stock Linux kernel, the performance is actually rather bad.
It works much better with Phil Wood's mmap pcap[1]. We've also
experimented with Luca Deri's RING patch, but there were some
strange problems (like not filtering correctly), and it doesn't
support SMP systems.
Thank you for the tip, we are already evaluating Phil Wood's mmap pcap.
That said, could you try configuring Bro with --enable-selectloop
and see if that changes anything?
I tried the --enable-selectloop option and it doesn't seem to change
anything. Listening on two interfaces still doesn't work...