Bro is written using libpcap, the portable packet-capture
library available from
ftp://ftp.ee.lbl.gov/libpcap.tar.Z
. While
libpcap knows how to use a wide range of Unix packet filters, it
far and away performs most efficiently used in conjunction with the Berkeley
Packet Filter (BPF) and with BPF descendants (such as the Digital Unix
packet filter). Althought BPF is available from
ftp://ftp.ee.lbl.gov/bpf.tar.Z
, installing
it involves modifying your kernel, and perhaps requires significant porting
work. However, it comes as part of several operating systems, such as
FreeBSD, NetBSD, and OpenBSD.
For BPF systems, you should be aware of the follwoing tuning and configuration issues:
Under FreeBSD, the configuration variable to increase is
debug.bpf_bufsize
, which you can set via sysctl. We
recommend creating a script run at boot-up time that increases it
from its small default value to something on the order of 100 KB–2 MB,
depending on how fast (heavily loaded) is the link being monitored,
and how much physical memory the monitor machine has at its disposal.
libpcap buffer size patch:
Important note: some versions of have
internal code that limits the maximum buffer size to 32 KB. For
these systems, you should apply the patch included in the Bro distribution
in the file libpcap.patch
.
Finally, once you have increased the buffer sizes, you should check that running Bro does indeed consume the amount of kernel memory you expect. You can do this under FreeBSD using vmstat -m and searching in the output for the summary of BPF memory. You should find that the MemUse statistic goes up by twice the buffer size for every concurrent Bro or tcpdump you run.1 The reason the increase is by twice the buffer size is because Bro uses double-buffering to avoid dropping packets when the buffer fills up.
[1] Providing that these programs have been recompiled with the corrected libpcap noted above.