CLASSIFICATION: UNCLASSIFIED I have a question someone may or may not be able to help answer. Basically, I have in the past used the "tc" utility of iproute2 to combine multiple network interfaces into one "dummy" interface for monitoring purposes. (Creating a bridge via brctl has led to broadcast storms in some network locations, so it's not an option.) Now that I've integrated PF_RING into my sensor build and integrated the PF_RING DAQ so that Snort uses it, I have the option to use the "lowlevelbridge" setting so that multiple interfaces are combined by PF_RING for Snort's purposes. The question is: Is there an advantage of using one over the other? If I stick with using iproute2 to create a dummy interface, am I losing capture performance that the PF_RING DAQ could otherwise provide? (I'm not 100% certain, but I believe that Snort is generally reporting more packet loss when using the "dummy" interface than when using the PF_RING DAQ's lowlevelbridge option.) If it helps, I'm following the approach d escribed here for making the dummy interface using the iproute2 package: http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/
-- Scott Knick CLASSIFICATION: UNCLASSIFIED
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
