Ours works fine on linux with the interfaces set in etc/bro.cfg like:
BRO_CAPTURE_INTERFACE="eth2 eth3"
Tim Brooks
Vern Paxson wrote:
i looked at the c-code. i runned it on different machines and
on various interfaces. bro still drops most of the packets
when i force it to listen on two interfaces.is it a libpcap problem?
a bro problem?
a linux problem?I believe it's a Linux problem. We do this under FreeBSD in two different
ways, either merging the interfaces in the kernel into one logical interface
(via a custom patch), or at user level. While the in-kernel version
performs better, the user-level one isn't a disaster like you describe.I also recall hearing others mention that multiple interfaces under Linux
do not work well in general. I don't use Linux, though, so can't comment
more directly.Vern
_______________________________________________
Bro mailing list
bro@bro-ids.org
mailman.icsi.berkeley.edu Mailing Lists
- --
Tim Brooks
Security Engineer
National Center for Supercomputing Applications
605 East Springfield Avenue Champaign, IL 61820