[Bro-Dev] snaplen and drops
braun at net.in.tum.de
Tue Nov 1 16:43:11 PDT 2011
On Oct 28, 2011, at 5:56 PM, Robin Sommer wrote:
> Anyways, for Bro is probably makes most sense to address this as a
> part of a larger piece we already have on our to-do list: overhauling
> Bro's code for packet aquisition. It's in pretty bad shape right now:
> (1) the main packet loop still works around problems with non-blocking
> mode in older libpcap/OS versions; I would hope that's not necessary
> anymore. (2), we don't have a nice interface for using other packet
> sources than libpcap; we need an abstraction there.
Snort has an abstraction layer called libdaq:
I haven't had a look at it myself, so I cannot make a statement on whether its a good abstraction layer. But maybe it can be used in Bro, too.
> And finally (3),
> if we got an interface in to exploit further NIC-level features, like
> load-balancing, that would be pretty cool.
Yes, these new features might be very cool. However, if you rely on these hardware features, you might run into hardware-specifc problems.
Some NICs seem to use a per-flow scheme for distributing traffic onto multiple queues. This can lead to problems if you use such NICs for distributing traffic to multiple Bro instances: Client and server traffic of a single TCP connection might be forwarded to different worker nodes.
We therefore use software load-balancing for setups with multiple Bro worker nodes on a single machine.
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone: +49 89 289-18010 Fax: +49 89 289-18033
E-mail: braun at net.in.tum.de
More information about the bro-dev