[Snort-devel] PATCH 1/1]: DAQ pcaprr module
jeff.murphy at ...2499...
Fri Apr 29 13:39:33 EDT 2011
On Apr 29, 2011, at 1:23 PM, Michael Altizer wrote:
> On 04/29/2011 10:41 AM, Jeff Murphy wrote:
>> Attached. Here's a suggested blurb (based on the Napatech blurb), feel free to edit
>> PCAPRR External DAQ
>> PCAPRR can be used to read from multiple network interfaces in cases where those interfaces can not be bonded together (e.g. when using Endace cards). To build this requires libpcap library. This is NOT a Sourcefire used or produced module, and support questions should be directed to Jeff Murphy.
> Cool. After looking at the modifications you made, I think you're really going to run into some issues with basic fairness, though. Basically, assuming the normal Snort method of calling daq_acquire (one second timeout, no packet count limit, single-threaded), if one card is getting a decent amount of traffic, the other cards will never be read from in the round robin implementation. It's an issue I ran into when considering how to allow Snort to open and acquire from multiple DAQ module instances simultaneously, and I never really came up with a great solution. If you set a relatively low upper bound on the packets processed per acquire call (or in your case, pcap_dispatch() call), you will start incurring a huge amount of overhead from repeatedly jumping in and out of the call chain down to the cards. Also, if you ever hit the timeout on the card you're currently processing, all of the packets waiting on the other cards will languish for at least that amount of time (unless you signal the caller when a packet is received on another card, but even then you have to hope it was on the next card in your round robin). Setting a low or non-existent (non-blocking) timeout helps with this, but effectively ends up as a magnified version of the previous overhead issue.
> Please take the above as constructive criticism/food for thought. I'm really glad that people are building their own DAQ modules and hope that they continue to do so.
Good stuff, cool ideas. I'll think about it. I've been monitoring the cards regularly for dropped traffic and so far haven't seen anything significant. I currently have 2Gbps (1.5G on one card and 500M on the other) load balanced across 10 snort processes. Stats /look/ ok so far. Hopefully round-robin will suffice in the near term.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel