[Bro] Cluster setup

[hiren panchasara]

On Thu, Oct 31, 2013 at 5:51 PM, Seth Hall <seth at icir.org> wrote:
>
> On Oct 31, 2013, at 3:20 PM, hiren panchasara <hiren.panchasara at gmail.com> wrote:
>
>> Right. So (afaik) in FreeBSD we do not have PF_RING like functionality
>> where there is an PF_RING application sdk and applications can choose
>
> Ah, generally right now people are only doing load balancing on FreeBSD with Myricom NICs and the Myricom Sniffer driver.

This is not an option for me but I will surely see how they are doing it.
>
>> which queue it wants to listen to. Intel NIC (that I am using)
>> definitely can distribute traffic in 8 queues it has but question for
>> me is, how do I distribute it to the application/workers.
>
> In FreeBSD at the moment you don't.  It's possible that if you have netmap enabled you might be able to use that in some fashion, but generally those FlowDirector based queues on the high end Intel NICs aren't actually exposed in userland.  If you are talking about RSS (receive side scaling), then that's insufficient unless you have RX and TX RSS (I'm a little confused about this, but I read something recently that seemed to indicate this might be a thing on some NICs) because both directions of each connection need to go to each process.

Yeah, tricky part is the userland association. But I am also not too
clear on RSS detail. That looks like the only option I have. I need to
dig deeper.
>
>> Do they have PF_RING setup which blindly ports queue:1 traffic to
>> worker:1 and bro (using PF_RING's sdk) will do the parsing?
>
> Typically people run PF_Ring in mode 0 which is actually not exposing hardware load balanced traffic.  It's collecting all of the traffic and load balancing it in the core.

Here, core == bro's core?

I really appreciate you taking time out and responding to my questions, Seth :-)

cheers,
Hiren