[Snort-devel] A mutithreaded DPDK DAQ Module for Snort 3.0

Michael Altizer mialtize at ...3461...
Thu Sep 15 10:49:34 EDT 2016


Thanks, NachtZ - this looks like a great start to a multi-threaded DPDK 
DAQ module.  It might be better if you were to offer it as a standalone 
DAQ module for the time being (see https://github.com/Xiche/daq_odp for 
an example).

Just a warning for anyone trying to just pick this up and use it: like 
NachtZ said, each packet thread will only receive packets from a single 
interface.  This means that Snort inspection will be generally 
ineffectual in an inline scenario as any given packet thread will only 
be looking at one direction of the traffic and be fairly confused when 
it comes to bidirectional protocols (say, TCP).

On 09/13/2016 10:18 AM, Nacht Z wrote:
>
> Hello Everyone:
>
> I have implemented a multithreaded DPDK DAQ module for daq 2.10 and 
> snort 3.0. Here is the project link in github:DPDK_DAQ 
> <https://github.com/NachtZ/daq_dpdk>.
> The link is a complete daq-2.1.0 project and a guide about how to 
> install and use the mode in snort 3.0.
> This module supports multithread and have changed relationship between 
> snort3.0’s pigs(infact that’s thread’s another name in snort3.0) and 
> NICs. A pig
> can only have one NIC in dpdk module. So if you want to run muti-nics, 
> you should use |-z| option in snort3. If not, you can only use one nic 
> in fact.
> I have also test the performance by using Spirent Test Center. I 
> linked the snort and Test Center like this:
>
> |Spirent Port0 <--------------> Snort Port2 ↑ ↑ | | | | ↓ ↓ Spirent 
> Port1 <--------------> Snort Port3 |
>
> I send packets from the port0 to port2 and port1 to port3. The 
> snort(run inline mode and with bps mode ‘not ip’) forward the flows as 
> the link |port2 -> port3-> port1| and |port3->port2->port0| at the
> same time. In my 82599ES, I can run nealy full speed(99%) in 10G LAN 
> mode without losing packets.(But when I run 100 speed it will lose 
> 4445/500000000 packets.)
>
> This project is based on |daq_netmap.c| module and Tiwei Bie’s project 
> <https://sourceforge.net/p/snort/mailman/message/35162409/>.
>
> Any comments would be appreciated. Thanks a lot!
> Best wishes
> NachtZ
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160915/ee229bba/attachment.html>


More information about the Snort-devel mailing list