[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Tue Sep 8 10:33:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22002#comment-22002 ] 

Seth Hall commented on BIT-1363:

Coming back around to this, I just discovered (after seeing multiple references to the contrary) that AF_Packet actually does per-flow balancing which means that this isn't a viable mechanism for Bro.  My testing just showed each flow of a connection being balanced out to two separate Bro processes.  

Does anyone know if there is something incomplete from the configuration that was merged into Bro?  I can't find anything in AF_Packet docs that I've been reading that suggests otherwise.  I think that this might not be a mechanism that we are able to use for load balancing since it's not bidirectional.

> Clustered AF_PACKET support
> ---------------------------
>                 Key: BIT-1363
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Michal Purzynski
> Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list