[Bro] Linux Kernel dropping a lot of packets
Peter Van Epp
vanepp at sfu.ca
Tue Mar 13 15:57:55 PDT 2007
On Tue, Mar 13, 2007 at 01:36:55PM -0700, Mark Dedlow wrote:
> Peter Van Epp wrote:
> > If you are up for adventure you should look at the pf-ring code from
> >www.ntop.org. While fairly exciting to get in (it replaces the native pcap
> >code in the kernel) once you do it appears to work fairly well. On an
> >version of pf-ring we managed to keep up with a 995 megabit jumbo frame
> >run with argus (the jumbos however are the best case traffic senario). I
> >the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18
> >(I think) but haven't yet managed to get it in to a busy gig link yet (the
> >original link has gone 10 gig in the interrum and is thus no longer
> >:-)). Small packets are its most likely weakness.
> I tested this recently, and while a great improvement, it was
> still considerably less than out-of-the-box FreeBSD performance.
Hmmm, perhaps I should test again. At that point on a dual athelon
FreeBSD (which is my default platform for running argus on) lost %50 of the
traffic on that gig link. Same hardware with Linux and pf-ring lost nothing.
I did see that the FreeBSD 6 series was supposed to improve networking but
unless they also made radical changes in bpf the kernel/user copy eats
memory bandwidth (which pf-ring I believe avoids by doing ugly things direct
to the page tables avoiding the memory to memory copy). I recall the pf-ring
author also saying the same trick wouldn't work on FreeBSD and he felt the
code was going to be hard to port to FreeBSD.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the Bro