[Zeek] R: Zeek and myricom NICs

Palumbo Mauro mauro.palumbo at aizoon.it
Wed Sep 11 06:52:19 PDT 2019


Hi Seth,
   thanks for your prompt reply.

Looking at the myricom software API, I see that they have both a libpcap wrapper and more advanced functionalities in snf.h. Not all source code is open, however, and I am not sure which functionalities are implemented in the libpcap wrappers.  In your plugin you are using snf_open to open the NIC device. I would like to open a Myricom NIC with both aggregation and load_balancing, i.e. 

  int flags = SNF_F_PSHARED;
  flags |= SNF_F_AGGREGATE_PORTMASK;

  struct snf_rss_params rssp;
  rssp.mode = SNF_RSS_FLAGS;
  rssp.params.rss_flags = SNF_RSS_IP | SNF_RSS_SRC_PORT | SNF_RSS_DST_PORT;

   rc = snf_open(portnum, 2, &rssp, dataring_sz, flags, &hsnf);

but I am not sure this works. Did someone ever try it? Myricom documentation is a bit ambiguous on this point...

Mauro


-----Messaggio originale-----
Da: Seth Hall [mailto:seth at corelight.com] 
Inviato: mercoledì 11 settembre 2019 15:36
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek at zeek.org
Oggetto: Re: [Zeek] Zeek and myricom NICs


On 11 Sep 2019, at 6:43, Palumbo Mauro wrote:

>   quick question: is the bro-myricon plugin (by Seth) still necessary 
> when using myricom nics with Zeek?  I know with pf_ring this is not 
> the case anymore since bro can be directly linked to a modified 
> pf_ring libpcap and I was wondering if this is the case for myricom 
> too.

There are some advantages to using the Myricom plugin directly.  
Generally in my opinion I've been trying to avoid libpcap wrappers for quite a few years now because of various quality issues associated with several of them that I've experienced.  There tends to be API functionality that you don't have an opportunity to take advantage of with a pcap wrapper too.

To some degree this is personal preference though.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com



More information about the Zeek mailing list