[Bro-Dev] snaplen and drops

Lothar Braun braun at net.in.tum.de
Tue Nov 1 16:43:11 PDT 2011


On Oct 28, 2011, at 5:56 PM, Robin Sommer wrote:

> Anyways, for Bro is probably makes most sense to address this as a
> part of a larger piece we already have on our to-do list: overhauling
> Bro's code for packet aquisition. It's in pretty bad shape right now:
> (1) the main packet loop still works around problems with non-blocking
> mode in older libpcap/OS versions; I would hope that's not necessary
> anymore. (2), we don't have a nice interface for using other packet
> sources than libpcap; we need an abstraction there.

Snort has an abstraction layer called libdaq:


I haven't had a look at it myself, so I cannot make a statement on whether its a good abstraction layer. But maybe it  can be used in Bro, too.

> And finally (3),
> if we got an interface in to exploit further NIC-level features, like
> load-balancing, that would be pretty cool. 

Yes, these new features might be very cool. However, if you rely on these hardware features, you might run into hardware-specifc problems.

Some NICs seem to use a per-flow scheme for distributing traffic onto multiple queues. This can lead to problems if you use such NICs for distributing traffic to multiple Bro instances: Client and server traffic of a single TCP connection might be forwarded to different worker nodes.

We therefore use software load-balancing for setups with multiple Bro worker nodes on a single machine.

Best regards,

Lothar Braun
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone:  +49 89 289-18010       Fax: +49 89 289-18033
E-mail: braun at net.in.tum.de 

More information about the bro-dev mailing list