[Bro] af_packet comparison to PF_RING ZC/DNA for Bro (in light of recent Suricata tuning paper)
Gary Faulkner
gfaulkner.nsm at gmail.com
Fri Feb 17 12:54:47 PST 2017
After reading over the paper Michal and others worked on concerning
tuning Suricata for best performance with AF_Packet I'm wondering how
af_packet performance compares to pf_ring DNA/ZC (with the commercially
licensed drivers, not just vanilla) especially when it comes to Bro.
Is af_packet generally sufficient for Bro when it comes to monitoring
100G+ networks using a cluster of commodity servers with Intel X520 NICs?
Is the distro shipped driver for something like an up-to-date Ubuntu
16.04 (4.4 kernel) server sufficient or do you really need to compile
the driver from source to enable some extended features, or to get a
properly patched driver etc? I could see some benefits to just using the
distro packaged driver and not having to compile the driver from scratch
or rely on dkms when patching sensors. I've had this go very wrong a few
times.
Are there any gotchas where running one or the other might be the better
way to go? Examples (want to use some bro feature such as capstats, or
want to see VLAN tags in Bro logs, something else is broken or not
performing as expected)
Does af_packet or the Bro plugin for it have a way to deal with multiple
NICS (one per numa node), sort of like how pf_ring has dnacluster and
zbalance_ipc?
Feel free to share any other relevant considerations. I'm especially
interested in things such as ease of management, performance,
compatibility etc.
~Gary
More information about the Bro
mailing list