[Snort-devel] PATCH 1/1]: DAQ pcaprr module

Michael Altizer maltizer at ...402...
Fri Apr 29 13:23:57 EDT 2011


On 04/29/2011 10:41 AM, Jeff Murphy wrote:
> Attached. Here's a suggested blurb (based on the Napatech blurb), feel 
> free to edit
>
>
>       PCAPRR External DAQ
>
> PCAPRR can be used to read from multiple network interfaces in cases 
> where those interfaces can not be bonded together (e.g. when using 
> Endace cards). To build this requires libpcap library. This is *NOT* a 
> Sourcefire used or produced module, and support questions should be 
> directed to Jeff Murphy <mailto:jcmurphy at ...3179...>.
>
>
>
Cool.  After looking at the modifications you made, I think you're 
really going to run into some issues with basic fairness, though.  
Basically, assuming the normal Snort method of calling daq_acquire (one 
second timeout, no packet count limit, single-threaded), if one card is 
getting a decent amount of traffic, the other cards will never be read 
from in the round robin implementation.  It's an issue I ran into when 
considering how to allow Snort to open and acquire from multiple DAQ 
module instances simultaneously, and I never really came up with a great 
solution.  If you set a relatively low upper bound on the packets 
processed per acquire call (or in your case, pcap_dispatch() call), you 
will start incurring a huge amount of overhead from repeatedly jumping 
in and out of the call chain down to the cards.  Also, if you ever hit 
the timeout on the card you're currently processing, all of the packets 
waiting on the other cards will languish for at least that amount of 
time (unless you signal the caller when a packet is received on another 
card, but even then you have to hope it was on the next card in your 
round robin).  Setting a low or non-existent (non-blocking) timeout 
helps with this, but effectively ends up as a magnified version of the 
previous overhead issue.

Please take the above as constructive criticism/food for thought.  I'm 
really glad that people are building their own DAQ modules and hope that 
they continue to do so.

-Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110429/fdfb04b0/attachment.html>


More information about the Snort-devel mailing list