[Bro] Linux Kernel dropping a lot of packets

Peter Van Epp vanepp at sfu.ca
Tue Mar 13 15:57:55 PDT 2007

On Tue, Mar 13, 2007 at 01:36:55PM -0700, Mark Dedlow wrote:
> Peter Van Epp wrote:
> >	If you are up for adventure you should look at the pf-ring code from
> >www.ntop.org. While fairly exciting to get in (it replaces the native pcap
> >code in the kernel) once you do it appears to work fairly well. On an 
> >earlier
> >version of pf-ring we managed to keep up with a 995 megabit jumbo frame 
> >netperf
> >run with argus (the jumbos however are the best case traffic senario). I 
> >have
> >the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18 
> >kernel
> >(I think) but haven't yet managed to get it in to a busy gig link yet (the 
> >original link has gone 10 gig in the interrum and is thus no longer 
> >available
> >:-)). Small packets are its most likely weakness.
> I tested this recently, and while a great improvement, it was
> still considerably less than out-of-the-box FreeBSD performance.
> Mark

	Hmmm, perhaps I should test again. At that point on a dual athelon
FreeBSD (which is my default platform for running argus on) lost %50 of the
traffic on that gig link. Same hardware with Linux and pf-ring lost nothing.
I did see that the FreeBSD 6 series was supposed to improve networking but
unless they also made radical changes in bpf the kernel/user copy eats 
memory bandwidth (which pf-ring I believe avoids by doing ugly things direct
to the page tables avoiding the memory to memory copy). I recall the pf-ring
author also saying the same trick wouldn't work on FreeBSD and he felt the
code was going to be hard to port to FreeBSD. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the Bro mailing list