[Bro] Copying bpf buffers into multiple locations
Mcclelland-Bane, Randy
rmcclel at sandia.gov
Sat Feb 23 22:10:36 PST 2008
Has any work been done by the bro team (or others) on copying a single bpf stream into multiple locations with *BSD? ie - one stream of incoming packets from a NIC gets copied into several virtual locations instead of just your standard "em0" etc. kernel locations. I've been googling for a bit and can't find anything substantial. I've seen some products/vendors that do this on linux, but nothing for BSD.
There used to be the FreeBSD 4.x patches out there for bro, but if I remember correctly those enabled bonding and didn't try to do any copying like I'm describing.
With the advent of more and more processors in multicore silicon, it seems that the bpf buffers could be a bottleneck to multiprocess/thread or "multi-instance" designs. This could enable us to run more cpu intensive instances of bro on a second cpu while the first handles most of the routine traffic on a single machine without getting major packet loss.
Thanks,
Randy
More information about the Bro
mailing list