[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

[Jan Grashoefer (JIRA)]

    [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22402#comment-22402 ] 

Jan Grashoefer commented on BIT-1363:
-------------------------------------

Hi, I experienced the same issues and wrote a minimal example using libpcap and setsockopt, as I suspected it to interfere. Based on [http://www.binarytides.com/packet-sniffer-code-c-libpcap-linux-sockets/] and [https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt] I came to the attached result: [^pcap.c] With this example I was able to reproduce the behavior: It forks 4 processes and for each creates a log (<pid>.log) with source/destination address (ordered) and port if available.
All in all I came to the same conclusion as Michal. Therefore I am trying to write a small POC of an AF_Packet plugin for Bro. If you think you can fix the issue using libpcap I would be very curious about. Maybe you can keep us up to date on your research.

> Clustered AF_PACKET support
> ---------------------------
>
>                 Key: BIT-1363
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Michal Purzynski
>         Attachments: pcap.c
>
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)