[Bro] RSS and packet reordering

Björn Samvik Bjorn.Samvik at netclean.com
Wed Aug 20 00:30:27 PDT 2014


I'm developing a program that dumps selected traffic to a tap device 
which bro is listening on. This works great. However to increase 
performance I'm trying to use receive side scaling, splitting the packet 
stream into multiple queues according to ips, ports etc. This results in 
packet reordering which confuses bro and the data is not analyzed  and 
assembled correctly. Other programs such as wireshark and tcpflow are 
able to assemble the traffic correctly so all data is there. Typically 
small packets such as acks seems to arrive before larger packets.

I have been searching for bro configurations that affect the tcp 
reassembly process but have so far not found anything that makes the 
situation better. Is there any particular configurations I should look at?

Anyone have experience with RSS and have any ideas how the packet 
reordering issue can be mitigated?

Thank you


