[Zeek] Anyone using 40G Intel NIC and PF_RING ZC
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Sep 6 13:30:26 PDT 2019
There is no need to use pf_ring on any modern operating Linux version.
Linux has the af_packet packet capture mechanism that does the job really
well.
Our production is based on either Intel's X720 or Mellanox ConnectX-4 Lx
cards (any modern Mellanox will do) and the af_packet in a QM mode. That
means card's hardware can do the filtering (and Mellanox is way more
flexible than Intel here) and symmetric hashing, working with af_packet.
BTW Mellanox is cool in yet another way - they happily work with flexoptics
SFP modules, further saving us $$$.
I'm happy to answer all your questions about this setup - so feel free to
ask. You cannot get me tired talking about this ;)
BTW, a while ago, while working with the Suricata's project developer Peter
Manev we wrote these documents. They are slightly outdated but the basics
they describe haven't changed much.
https://github.com/pevma/SEPTun
https://github.com/pevma/SEPTun-Mark-II <- our production is based on this
one
<https://github.com/pevma/SEPTun-Mark-II>
There will also be a talk (shameless self-promotion mode on) on the Zeek
week where I'll present our setup in details and hopefully answer all
questions people might have.
On Fri, Sep 6, 2019 at 12:12 PM Greg Grasmehr <greg.grasmehr at caltech.edu>
wrote:
> Hello,
>
> I'm curious if anyone is utilizing Intel 40G NICs and PF_RING ZC and if
> you'd be willing to share your experience? I'm interested in learning
> about which NIC you chose and how well it is working out.
>
> Thanks in advance for any info and Happy Friday!
>
> --
> Sincerely,
>
> Greg Grasmehr
> Lead Information Security Analyst
> California Institute of Technology (Caltech)
> GPGMe: 38E2 F9BD A95E 9824 20AB 331A 9E29 D1A1 AAEE 5F42
> pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x9E29D1A1AAEE5F42
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190906/d9a52ead/attachment.html
More information about the Zeek
mailing list