[
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22012#comment-22012
]
Michal Purzynski commented on BIT-1363:
---------------------------------------
I'm trying to understand now how Bro uses the libpcap and I'm reading the
libpcap source at the same time.
PcapSource::OpenLive() calls pcap_create() and pcap_activate() later, which in
turn, inside libpcap calls pcap_activate_linux() that tries hard to use mmap()
and TPACKET_V3. Cool :-)
A lot of magic happens after but libpcap is really good in autodetection -
granted that you use it like designed, and not pick and choose functions. So we
are good here.
A documentation piece would be nice, that would recommend kernel at least 3.13
and libpcap 1.6 (or even 1.5). Maybe it will work on RHEL 7 stone-age-old 3.10.
> Clustered AF_PACKET support
> ---------------------------
>
> Key: BIT-1363
> URL: https://bro-tracker.atlassian.net/browse/BIT-1363
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Affects Versions: git/master
> Reporter: Michal Purzynski
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi
> worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but
> having a direct support for multi-worker load balancing would allow to avoid
> the pf_ring for many deployments with the traffic level where DNA / ZC /
> Myricom / DAG is not required.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-04-018#70102)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
