[Zeek] Is there any implementation of Zeek/Bro with DPDK

Tarun Anand anandtarun2 at gmail.com
Mon Sep 9 07:49:07 PDT 2019 

Thanks for the feedback!


Regards
Tarun Anand

On Mon, 9 Sep 2019 at 6:14 PM, Clark, Gilbert <gc355804 at ohio.edu> wrote:

> Hi,
>
> Might be other efforts out there, but I'll note that I messed with this a
> (large number of) years ago on a small zeek cluster setup.
>
> I didn't find the results of a straightforward (e.g. rewriting a packet
> driver) implementation to be terribly encouraging: there was an existing
> implementation that supported ingest from Netmap and PF_RING which did
> pretty well already, and the vast majority of zeek's time was spent in
> script processing anyway.  Thus I found the results to be somewhat ...
> underwhelming, given the work / likely maintenance effort involved.  A port
> of PacketBricks [1] might've been an interesting alternative approach, but
> was outside of the scope of the academic work I was doing at the time.
>
> One thing I did have some success with was using DPDK to implement a very
> limited version of a sensor in C, and forwarding events from that to the
> larger zeek cluster through broccoli.  That had utility in cases where a
> large percentage of the traffic was a specific type (and thus would take a
> well-known path through zeek script), and the number of events generated
> was relatively limited in relation to the traffic volume.  This is,
> however, likely only suited for some pretty niche use-cases.
>
> Good luck,
> Gilbert Clark
>
> [1] https://github.com/zeek/packet-bricks
> ------------------------------
> *From:* zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Tarun
> Anand <anandtarun2 at gmail.com>
> *Sent:* Monday, September 9, 2019 7:12 AM
> *To:* zeek at zeek.org <zeek at zeek.org>
> *Subject:* [Zeek] Is there any implementation of Zeek/Bro with DPDK
>
> Hello All
>
> I would like to know if there is any prior/ ongoing work to implement Zeek
> on top of DPDK?
>
> Thank You
>
> Regards
> Tarun Anand
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190909/bae488b6/attachment.html

More information about the Zeek mailing list