Snort mailing list archives
Re: PATCH 1/1]: DAQ pcaprr module
From: Michael Altizer <maltizer () sourcefire com>
Date: Fri, 29 Apr 2011 13:23:57 -0400
On 04/29/2011 10:41 AM, Jeff Murphy wrote:
Attached. Here's a suggested blurb (based on the Napatech blurb), feel free to editCool. After looking at the modifications you made, I think you're really going to run into some issues with basic fairness, though. Basically, assuming the normal Snort method of calling daq_acquire (one second timeout, no packet count limit, single-threaded), if one card is getting a decent amount of traffic, the other cards will never be read from in the round robin implementation. It's an issue I ran into when considering how to allow Snort to open and acquire from multiple DAQ module instances simultaneously, and I never really came up with a great solution. If you set a relatively low upper bound on the packets processed per acquire call (or in your case, pcap_dispatch() call), you will start incurring a huge amount of overhead from repeatedly jumping in and out of the call chain down to the cards. Also, if you ever hit the timeout on the card you're currently processing, all of the packets waiting on the other cards will languish for at least that amount of time (unless you signal the caller when a packet is received on another card, but even then you have to hope it was on the next card in your round robin). Setting a low or non-existent (non-blocking) timeout helps with this, but effectively ends up as a magnified version of the previous overhead issue.PCAPRR External DAQPCAPRR can be used to read from multiple network interfaces in cases where those interfaces can not be bonded together (e.g. when using Endace cards). To build this requires libpcap library. This is *NOT* a Sourcefire used or produced module, and support questions should be directed to Jeff Murphy <mailto:jcmurphy () jeffmurphy org>.
Please take the above as constructive criticism/food for thought. I'm really glad that people are building their own DAQ modules and hope that they continue to do so.
-Michael
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- PATCH 1/1]: DAQ pcaprr module Jeff Murphy (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Russ Combs (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Jeff Murphy (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Russ Combs (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Joel Esler (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Michael Altizer (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Jeff Murphy (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Jeff Murphy (Apr 29)
- Re: PATCH 1/1]: DAQ pcaprr module Russ Combs (Apr 29)