[Bro-Dev] snaplen and drops
braun at net.in.tum.de
Tue Nov 1 16:48:59 PDT 2011
On Oct 29, 2011, at 12:21 AM, Martin Holste wrote:
> Glad you were able to sort this out. I use PF_RING exclusively for
> packet capture, so I've not run into this before.
> In the future, AF_PACKET support would be a great addition to Bro and
> would bring it closer to Snort and Suricata as far as acquisition.
> It's got performance reasonably close to PF_RING without having to
> download anything extra.
I'm a bit puzzled. If I understand things correctly, libpcap-1.0.0 uses AF_PACKET by default (after checking that MMAP support is available in the running kernel).
As far as I understand, AF_PACKET is the kernel socket infrastructure that allows to have a mmaped buffer between the kernel and userspace and a socket that can be polled/waited when no packets are stored in the buffer. Using a "new" libpcap with a modern kernel should already provide AF_PACKET support.
Am I missing something?
> However, you need to be running a 3.0 Linux
> kernel to do software load-balancing, which is one of the reasons I
> use PF_RING.
Cool, I wasn't aware of load balancing features in the standard kernel. Did you do some experiments to compare the standard kernel load-balancing to the one provided by PF_RING?
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone: +49 89 289-18010 Fax: +49 89 289-18033
E-mail: braun at net.in.tum.de
More information about the bro-dev