[Bro] RSS and packet reordering

Björn Samvik Bjorn.Samvik at netclean.com
Tue Aug 26 00:24:50 PDT 2014

Hello Seth,

Thanks for the answer.

I'm using pfring with rss rehashing so it's bidirectional.

 From bor's perspective there is only a tap device with one queue . I'm 
developing a program that basically acts as a filter between the network 
stream and bro, this program uses RSS to be able to cope with 10GBit/s. 
Bro only sees a small fraction of the entire network stream.

I would like to disable the RSS which is working extremely well. 
Unfortunately this gives me performance issues since I'm not able to 
process all the traffic.

So potential solutions I'm investigating.
1. In some way mitigate the reordering issue at network card/pfring 
level without disabling RSS, have so far not found a solution for this.
2. Tell bro to reorder the packets, I guess bro already does this but 
gives up if the packets are to much out of order. Is there any 
parameters I can change to tell bro to try harder?
3. One option is of cause to reorder the packets myself before sending 
them to bro.



On 2014-08-25 16:06, Seth Hall wrote:
> On Aug 20, 2014, at 3:30 AM, Björn Samvik <Bjorn.Samvik at netclean.com> wrote:
>> Anyone have experience with RSS and have any ideas how the packet
>> reordering issue can be mitigated?
> Are you using straight RSS without any modifications?  By default the Toeplitz hash that RSS uses is not a bidirectional hash.  i.e., each flow of a connection ends up on a different NIC queue.  As a general rule though, you should try to avoid anything that could result in packet reordering.
> Another question, how are you making Bro attach to the various NIC hardware queues?
>    .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

More information about the Bro mailing list