[Bro] Linux Kernel dropping a lot of packets

[Mark Dedlow]

Peter Van Epp wrote:
> On Tue, Mar 13, 2007 at 01:36:55PM -0700, Mark Dedlow wrote:
>> Peter Van Epp wrote:
>>> 	If you are up for adventure you should look at the pf-ring code from
>>> www.ntop.org. While fairly exciting to get in (it replaces the native pcap
>>> code in the kernel) once you do it appears to work fairly well. On an 
>>> earlier
>>> version of pf-ring we managed to keep up with a 995 megabit jumbo frame 
>>> netperf
>>> run with argus (the jumbos however are the best case traffic senario). I 
>>> have
>>> the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18 
>>> kernel
>>> (I think) but haven't yet managed to get it in to a busy gig link yet (the 
>>> original link has gone 10 gig in the interrum and is thus no longer 
>>> available
>>> :-)). Small packets are its most likely weakness.
>> I tested this recently, and while a great improvement, it was
>> still considerably less than out-of-the-box FreeBSD performance.
>>
>> Mark
> 
> 	Hmmm, perhaps I should test again. At that point on a dual athelon
> FreeBSD (which is my default platform for running argus on) lost %50 of the
> traffic on that gig link. Same hardware with Linux and pf-ring lost nothing.
> I did see that the FreeBSD 6 series was supposed to improve networking but
> unless they also made radical changes in bpf the kernel/user copy eats 
> memory bandwidth (which pf-ring I believe avoids by doing ugly things direct
> to the page tables avoiding the memory to memory copy). I recall the pf-ring
> author also saying the same trick wouldn't work on FreeBSD and he felt the
> code was going to be hard to port to FreeBSD. 

I should add that I did not attempt a comprehensive comparison, and
that the performance probably varies significantly as a function of
variables such as traffic profile.  My tests used synthetic traffic
with a single packet size mix (simulating our actual environment.)
This was on 6.1 btw.

Mark