[Zeek] Is there any implementation of Zeek/Bro with DPDK

[Clark, Gilbert]

Hi,

Might be other efforts out there, but I'll note that I messed with this a (large number of) years ago on a small zeek cluster setup.

I didn't find the results of a straightforward (e.g. rewriting a packet driver) implementation to be terribly encouraging: there was an existing implementation that supported ingest from Netmap and PF_RING which did pretty well already, and the vast majority of zeek's time was spent in script processing anyway.  Thus I found the results to be somewhat ... underwhelming, given the work / likely maintenance effort involved.  A port of PacketBricks [1] might've been an interesting alternative approach, but was outside of the scope of the academic work I was doing at the time.

One thing I did have some success with was using DPDK to implement a very limited version of a sensor in C, and forwarding events from that to the larger zeek cluster through broccoli.  That had utility in cases where a large percentage of the traffic was a specific type (and thus would take a well-known path through zeek script), and the number of events generated was relatively limited in relation to the traffic volume.  This is, however, likely only suited for some pretty niche use-cases.

Good luck,
Gilbert Clark

[1] https://github.com/zeek/packet-bricks
________________________________
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Tarun Anand <anandtarun2 at gmail.com>
Sent: Monday, September 9, 2019 7:12 AM
To: zeek at zeek.org <zeek at zeek.org>
Subject: [Zeek] Is there any implementation of Zeek/Bro with DPDK

Hello All

I would like to know if there is any prior/ ongoing work to implement Zeek on top of DPDK?

Thank You

Regards
Tarun Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190909/8a4da3e3/attachment.html