This plugin provides native PF_RING support for Bro.


Follow PF_RING’s instructions to get its kernel module and, potentially, custom drivers installed. The following will then compile and install the PF_RING plugin alongside Bro, assuming it can find the PF_RING headers in a standard location:

./configure && make && make install

If the headers are installed somewhere non-standard, add --with-pfring=<PF_RING-base-directory> to the configure command. If everything built and installed correctly, you should see this:

# bro -N Bro::PF_RING
Bro::PF_RING - Packet acquisition via PF_RING (dynamic, version 1.0)

To use PF_RING, you should run Bro as root.


Once installed, you can use PF_RING interfaces/ports by prefixing them with pf_ring:: on the command line. For example, to use PF_RING to monitor interface eth0:

bro -i pf_ring::eth0

