[Bro] RSS and packet reordering
Bjorn.Samvik at netclean.com
Tue Aug 26 00:24:50 PDT 2014
Thanks for the answer.
I'm using pfring with rss rehashing so it's bidirectional.
From bor's perspective there is only a tap device with one queue . I'm
developing a program that basically acts as a filter between the network
stream and bro, this program uses RSS to be able to cope with 10GBit/s.
Bro only sees a small fraction of the entire network stream.
I would like to disable the RSS which is working extremely well.
Unfortunately this gives me performance issues since I'm not able to
process all the traffic.
So potential solutions I'm investigating.
1. In some way mitigate the reordering issue at network card/pfring
level without disabling RSS, have so far not found a solution for this.
2. Tell bro to reorder the packets, I guess bro already does this but
gives up if the packets are to much out of order. Is there any
parameters I can change to tell bro to try harder?
3. One option is of cause to reorder the packets myself before sending
them to bro.
On 2014-08-25 16:06, Seth Hall wrote:
> On Aug 20, 2014, at 3:30 AM, Björn Samvik <Bjorn.Samvik at netclean.com> wrote:
>> Anyone have experience with RSS and have any ideas how the packet
>> reordering issue can be mitigated?
> Are you using straight RSS without any modifications? By default the Toeplitz hash that RSS uses is not a bidirectional hash. i.e., each flow of a connection ends up on a different NIC queue. As a general rule though, you should try to avoid anything that could result in packet reordering.
> Another question, how are you making Bro attach to the various NIC hardware queues?
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
More information about the Bro