[Bro-Dev] snaplen and drops

Lothar Braun braun at net.in.tum.de
Tue Nov 1 16:48:59 PDT 2011


On Oct 29, 2011, at 12:21 AM, Martin Holste wrote:

> Glad you were able to sort this out.  I use PF_RING exclusively for
> packet capture, so I've not run into this before.
> In the future, AF_PACKET support would be a great addition to Bro and
> would bring it closer to Snort and Suricata as far as acquisition.
> It's got performance reasonably close to PF_RING without having to
> download anything extra.  

I'm a bit puzzled. If I understand things correctly, libpcap-1.0.0 uses AF_PACKET by default (after checking that MMAP support is available in the running kernel). 

As far as I understand, AF_PACKET is the kernel socket infrastructure that allows to have a mmaped buffer between the kernel and userspace and a socket that can be polled/waited when no packets are stored in the buffer. Using a "new" libpcap with a modern kernel should already provide AF_PACKET support. 

Am I missing something?

> However, you need to be running a 3.0 Linux
> kernel to do software load-balancing, which is one of the reasons I
> use PF_RING.

Cool, I wasn't aware of load balancing features in the standard kernel. Did you do some experiments to compare the standard kernel load-balancing to the one provided by PF_RING?

Best regards,

Lothar Braun
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone:  +49 89 289-18010       Fax: +49 89 289-18033
E-mail: braun at net.in.tum.de 

More information about the bro-dev mailing list