[Bro] PF_RING for Bro
Sunjeet Singh
sstattla at gmail.com
Mon Dec 13 14:44:59 PST 2010
Hi,
I am looking at increasing the performance of Bro by making use of
PF_RING and TNAPI, at the kernel and driver level in Linux. These
existing tools from http://www.ntop.org/news.php allow multi-threaded
applications to drastically increase performance by making use of
functionality that exists in several network cards today.
While PF_RING, TNAPI and other network-card functionality allow for
phenomenal speed-up, they have to be tuned right or else they can lead
to a negative effect on performance. So I'm trying to determine how to
tune them to meet Bro's needs.
As Multi-threaded Bro is not ready yet, I am trying to think of a SIMPLE
application that can best characterize the Bro workload. The design
criteria that I have for this application so far is-
1. Send every packet belonging to a particular connection to the same core.
2. Introduce a small wait on every packet to simulate Bro's processing
of that packet? What will be a good value?
I'd be very interested to have everyone's opinion on this. I really am
looking for a very simple algorithm that will be a right approximation.
Thank you,
Sunjeet Singh
More information about the Bro
mailing list