Fwd: [Ntop-misc] PF_RING DAQ lowlevelbridge vs. tc? (UNCLASSIFIED)

grarpamp grarpamp at gmail.com
Fri Aug 14 15:52:57 PDT 2015

---------- Forwarded message ----------
From: Knick, Scott E CTR (US) <scott.e.knick.ctr at mail.mil>
Date: Fri, Aug 14, 2015 at 9:16 AM
Subject: [Ntop-misc] PF_RING DAQ lowlevelbridge vs. tc? (UNCLASSIFIED)
To: "ntop-misc at listgateway.unipi.it" <ntop-misc at listgateway.unipi.it>


I have a question someone may or may not be able to help answer.
Basically, I have in the past used the "tc" utility of iproute2 to
combine multiple network interfaces into one "dummy" interface for
monitoring purposes. (Creating a bridge via brctl has led to broadcast
storms in some network locations, so it's not an option.) Now that
I've integrated PF_RING into my sensor build and integrated the
PF_RING DAQ so that Snort uses it, I have the option to use the
"lowlevelbridge" setting so that multiple interfaces are combined by
PF_RING for Snort's purposes. The question is: Is there an advantage
of using one over the other? If I stick with using iproute2 to create
a dummy interface, am I losing capture performance that the PF_RING
DAQ could otherwise provide? (I'm not 100% certain, but I believe that
Snort is generally reporting more packet loss when using the "dummy"
interface than when using the PF_RING DAQ's lowlevelbridge option.) If
it helps, I'm following the approach d
 escribed here for making the dummy interface using the iproute2
package: http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/

Scott Knick


Ntop-misc mailing list
Ntop-misc at listgateway.unipi.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5633 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20150814/fdd51734/attachment-0002.bin>

More information about the cypherpunks mailing list