[Bro] RSS and packet reordering
Bjorn.Samvik at netclean.com
Wed Aug 20 00:30:27 PDT 2014
I'm developing a program that dumps selected traffic to a tap device
which bro is listening on. This works great. However to increase
performance I'm trying to use receive side scaling, splitting the packet
stream into multiple queues according to ips, ports etc. This results in
packet reordering which confuses bro and the data is not analyzed and
assembled correctly. Other programs such as wireshark and tcpflow are
able to assemble the traffic correctly so all data is there. Typically
small packets such as acks seems to arrive before larger packets.
I have been searching for bro configurations that affect the tcp
reassembly process but have so far not found anything that makes the
situation better. Is there any particular configurations I should look at?
Anyone have experience with RSS and have any ideas how the packet
reordering issue can be mitigated?
More information about the Bro