[Snort-devel] PATCH 1/1]: DAQ pcaprr module
maltizer at ...402...
Fri Apr 29 13:23:57 EDT 2011
On 04/29/2011 10:41 AM, Jeff Murphy wrote:
> Attached. Here's a suggested blurb (based on the Napatech blurb), feel
> free to edit
> PCAPRR External DAQ
> PCAPRR can be used to read from multiple network interfaces in cases
> where those interfaces can not be bonded together (e.g. when using
> Endace cards). To build this requires libpcap library. This is *NOT* a
> Sourcefire used or produced module, and support questions should be
> directed to Jeff Murphy <mailto:jcmurphy at ...3179...>.
Cool. After looking at the modifications you made, I think you're
really going to run into some issues with basic fairness, though.
Basically, assuming the normal Snort method of calling daq_acquire (one
second timeout, no packet count limit, single-threaded), if one card is
getting a decent amount of traffic, the other cards will never be read
from in the round robin implementation. It's an issue I ran into when
considering how to allow Snort to open and acquire from multiple DAQ
module instances simultaneously, and I never really came up with a great
solution. If you set a relatively low upper bound on the packets
processed per acquire call (or in your case, pcap_dispatch() call), you
will start incurring a huge amount of overhead from repeatedly jumping
in and out of the call chain down to the cards. Also, if you ever hit
the timeout on the card you're currently processing, all of the packets
waiting on the other cards will languish for at least that amount of
time (unless you signal the caller when a packet is received on another
card, but even then you have to hope it was on the next card in your
round robin). Setting a low or non-existent (non-blocking) timeout
helps with this, but effectively ends up as a magnified version of the
previous overhead issue.
Please take the above as constructive criticism/food for thought. I'm
really glad that people are building their own DAQ modules and hope that
they continue to do so.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel