---------- Forwarded message ---------- From: Knick, Scott E CTR (US) <scott.e.knick.ctr@mail.mil> Date: Fri, Aug 14, 2015 at 9:16 AM Subject: [Ntop-misc] PF_RING DAQ lowlevelbridge vs. tc? (UNCLASSIFIED) To: "ntop-misc@listgateway.unipi.it" <ntop-misc@listgateway.unipi.it> CLASSIFICATION: UNCLASSIFIED I have a question someone may or may not be able to help answer. Basically, I have in the past used the "tc" utility of iproute2 to combine multiple network interfaces into one "dummy" interface for monitoring purposes. (Creating a bridge via brctl has led to broadcast storms in some network locations, so it's not an option.) Now that I've integrated PF_RING into my sensor build and integrated the PF_RING DAQ so that Snort uses it, I have the option to use the "lowlevelbridge" setting so that multiple interfaces are combined by PF_RING for Snort's purposes. The question is: Is there an advantage of using one over the other? If I stick with using iproute2 to create a dummy interface, am I losing capture performance that the PF_RING DAQ could otherwise provide? (I'm not 100% certain, but I believe that Snort is generally reporting more packet loss when using the "dummy" interface than when using the PF_RING DAQ's lowlevelbridge option.) If it helps, I'm following the approach d escribed here for making the dummy interface using the iproute2 package: http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/ -- Scott Knick CLASSIFICATION: UNCLASSIFIED _______________________________________________ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc