[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

Kris Nielander (JIRA) jira at bro-tracker.atlassian.net
Mon Sep 28 04:02:00 PDT 2015


    [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22401#comment-22401 ] 

Kris Nielander commented on BIT-1363:
-------------------------------------

I am keen to find the origin of the issue. I have been patching fanout into Bro for some time and I never came across these issues (other than not specifying the ID correctly). Did you try running the fanout example code from hxxps://www.kernel.org/doc/Documentation/networking/packet_mmap.txt ?

I can imagine that options set by libpcap don't do well with fanout, but essentially the patch operates on the (lower) socket layer. Perhaps some additional code checks need to be done, prior to moving to a separate AF_PACKET source implementation.

> Clustered AF_PACKET support
> ---------------------------
>
>                 Key: BIT-1363
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Michal Purzynski
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)


More information about the bro-dev mailing list