<div dir="ltr"><div>There is no need to use pf_ring on any modern operating Linux version. Linux has the af_packet packet capture mechanism that does the job really well.</div><div><br></div><div>Our production is based on either Intel's X720 or Mellanox ConnectX-4 Lx cards (any modern Mellanox will do) and the af_packet in a QM mode. That means card's hardware can do the filtering (and Mellanox is way more flexible than Intel here) and symmetric hashing, working with af_packet. BTW Mellanox is cool in yet another way - they happily work with flexoptics SFP modules, further saving us $$$.<br></div><div><br></div><div>I'm happy to answer all your questions about this setup - so feel free to ask. You cannot get me tired talking about this ;)</div><div><br></div><div>BTW, a while ago, while working with the Suricata's project developer Peter Manev we wrote these documents. They are slightly outdated but the basics they describe haven't changed much.</div><div><br></div><div><a href="https://github.com/pevma/SEPTun">https://github.com/pevma/SEPTun</a></div><div><a href="https://github.com/pevma/SEPTun-Mark-II">https://github.com/pevma/SEPTun-Mark-II <- our production is based on this one<br></a></div><div><br></div><div>There will also be a talk (shameless self-promotion mode on) on the Zeek week where I'll present our setup in details and hopefully answer all questions people might have.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 6, 2019 at 12:12 PM Greg Grasmehr <<a href="mailto:greg.grasmehr@caltech.edu" target="_blank">greg.grasmehr@caltech.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
I'm curious if anyone is utilizing Intel 40G NICs and PF_RING ZC and if<br>
you'd be willing to share your experience? I'm interested in learning<br>
about which NIC you chose and how well it is working out.<br>
<br>
Thanks in advance for any info and Happy Friday!<br>
<br>
-- <br>
Sincerely,<br>
<br>
Greg Grasmehr<br>
Lead Information Security Analyst<br>
California Institute of Technology (Caltech)<br>
GPGMe: 38E2 F9BD A95E 9824 20AB 331A 9E29 D1A1 AAEE 5F42<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x9E29D1A1AAEE5F42" rel="noreferrer" target="_blank">pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x9E29D1A1AAEE5F42</a><br>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><br>
</blockquote></div>