[Bro-Dev] snaplen and drops

Seth Hall seth at icir.org
Wed Nov 2 06:37:41 PDT 2011

On Nov 1, 2011, at 7:43 PM, Lothar Braun wrote:

> Snort has an abstraction layer called libdaq:
> I haven't had a look at it myself, so I cannot make a statement on whether its a good abstraction layer. But maybe it  can be used in Bro, too.

Nope, it's GPL.  I asked on their mailing list if they could relicense it as BSD right after they announced it a while back and I never heard back from anyone. 

> Some NICs seem to use a per-flow scheme for distributing traffic onto multiple queues. This can lead to problems if you use such NICs for distributing traffic to multiple Bro instances: Client and server traffic of a single TCP connection might be forwarded to different worker nodes.

The fairly common RSS feature in NICs does this sort of round robin packet distribution across queues, but Intel's newer Flow Director feature on their high ends NICs does flow based load balancing across the queues so you actually get client and server traffic in the same queue.  On Linux, the only way I know to take advantage of that is with TNAPI (from Luca Deri and the other NTOP guys).

Lately I've been very impressed with Myricom's sniffer drivers which do the hardware based load balancing and direct memory injection.  Their drivers work on FreeBSD and Linux which is an added benefit too.  We need to make some small modifications to broctl to better support clustering with them, but they've been very problem free so far.  Charging extra for special drivers seems a bit underhanded to me though (Myricom's sniffer drivers cost extra).

> We therefore use software load-balancing for setups with multiple Bro worker nodes on a single machine.

How are you doing this?  PF_RING is also doing software based load balancing in the kernel, but it's actually slightly wrong because it includes the vlan-id as one of the tuples they balance on which can cause problems for network where each direction of traffic is in a different vlan.  I filed a ticket with them to make the load balancing configurable though so hopefully that will be fixed in the next release of PF_RING.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list