[Bro] RSS and packet reordering
seth at icir.org
Tue Aug 26 05:54:19 PDT 2014
On Aug 26, 2014, at 3:24 AM, Björn Samvik <Bjorn.Samvik at netclean.com> wrote:
> I'm using pfring with rss rehashing so it's bidirectional.
Ahh, that explains a lot.
> From bor's perspective there is only a tap device with one queue . I'm
> developing a program that basically acts as a filter between the network
> stream and bro, this program uses RSS to be able to cope with 10GBit/s.
> Bro only sees a small fraction of the entire network stream.
You may want to wait a bit on this. :)
We should be announcing a new tool soon that does this and is *very* flexible. It uses netmap to get packets into user space and then you essentially get "packet bricks" to build your own packet handling pipeline, very similar to the "Click! Software Router" if you're familiar with that. Our intern this summer has been working really hard on getting this tool ready and I think that everyone is really going to like it.
> 1. In some way mitigate the reordering issue at network card/pfring
> level without disabling RSS, have so far not found a solution for this.
With the way that PF_Ring is doing this I don't think there is a solution for it.
> 2. Tell bro to reorder the packets, I guess bro already does this but
> gives up if the packets are to much out of order. Is there any
> parameters I can change to tell bro to try harder?
This is kind of mess and has a ton of edge cases since the packets arrive without timestamps we wouldn't even have a mechanism to reorder them. The TCP reassembler ends up being how they're reordered but that can fail for a number of reasons due to the reordering.
> 3. One option is of cause to reorder the packets myself before sending
> them to bro.
Yes, but you're in the position where you still wouldn't know how to reorder them without timestamps.
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140826/9a894943/attachment.bin
More information about the Bro