[Bro] af_packet comparison to PF_RING ZC/DNA for Bro (in light of recent Suricata tuning paper)

Gary Faulkner gfaulkner.nsm at gmail.com
Fri Feb 17 12:54:47 PST 2017


After reading over the paper Michal and others worked on concerning 
tuning Suricata for best performance with AF_Packet I'm wondering how 
af_packet performance compares to pf_ring DNA/ZC (with the commercially 
licensed drivers, not just vanilla) especially when it comes to Bro.

Is af_packet generally sufficient for Bro when it comes to monitoring 
100G+ networks using a cluster of commodity servers with Intel X520 NICs?

Is the distro shipped driver for something like an up-to-date Ubuntu 
16.04 (4.4 kernel) server sufficient or do you really need to compile 
the driver from source to enable some extended features, or to get a 
properly patched driver etc? I could see some benefits to just using the 
distro packaged driver and not having to compile the driver from scratch 
or rely on dkms when patching sensors. I've had this go very wrong a few 
times.

Are there any gotchas where running one or the other might be the better 
way to go? Examples (want to use some bro feature such as capstats, or 
want to see VLAN tags in Bro logs, something else is broken or not 
performing as expected)

Does af_packet or the Bro plugin for it have a way to deal with multiple 
NICS (one per numa node), sort of like how pf_ring has dnacluster and 
zbalance_ipc?

Feel free to share any other relevant considerations. I'm especially 
interested in things such as ease of management, performance, 
compatibility etc.

~Gary


More information about the Bro mailing list