This plugin provides native NETMAP <https://github.com/luigirizzo/netmap> support for Bro as a packet source.
Follow NETMAP's instructions to get its kernel module and, potentially, custom drivers installed. Then install this plugin through the Bro Package Manager:
# bro-pkg install bro/bro-netmap
To use NETMAP, Bro needs read and write access to
you give that permission to a user, you can run Bro as non-root.
Once installed, you can use NETMAP interfaces/ports by prefixing them
vale:: on the command line. For example,
to use NETMAP to monitor interface
bro -i netmap::eth0
Netmap does not enable promiscuous mode on interfaces, you'll have to do that yourself. For example, on Linux:
ifconfig eth0 promisc
To use it in production with multiple Bro processes, use a configuration similar to this in node.cfg:
[worker-1] type=worker host=localhost lb_method=custom lb_procs=<number of processes, like 16> interface=netmap::<interface name, like p2p1>
This will start up Bro processes sniffing on NETMAP pipes attached to
the interface. In order to balance packets from the interface across
those pipes you will need to run the tool named `lb` that is included in the `apps/lb` directory of the NETMAP distribution. Make sure that you instruct `lb` to split the packets into the same number of pipes that
Bro is configured to sniff.