Re: PATCH 1/1]: DAQ pcaprr module

[Jeff Murphy <jeff.murphy () gmail com>]

On Apr 29, 2011, at 1:23 PM, Michael Altizer wrote:

> On 04/29/2011 10:41 AM, Jeff Murphy wrote:
> > Attached. Here's a suggested blurb (based on the Napatech blurb), feel free to edit 
> >
> >
> > PCAPRR External DAQ
> > PCAPRR can be used to read from multiple network interfaces in cases where those interfaces can not be bonded 
> > together (e.g. when using Endace cards). To build this requires libpcap library. This is NOT a Sourcefire used or 
> > produced module, and support questions should be directed to Jeff Murphy. 
> Cool.  After looking at the modifications you made, I think you're really going to run into some issues with basic 
> fairness, though.  Basically, assuming the normal Snort method of calling daq_acquire (one second timeout, no packet 
> count limit, single-threaded), if one card is getting a decent amount of traffic, the other cards will never be read 
> from in the round robin implementation.  It's an issue I ran into when considering how to allow Snort to open and 
> acquire from multiple DAQ module instances simultaneously, and I never really came up with a great solution.  If you 
> set a relatively low upper bound on the packets processed per acquire call (or in your case, pcap_dispatch() call), 
> you will start incurring a huge amount of overhead from repeatedly jumping in and out of the call chain down to the 
> cards.  Also, if you ever hit the timeout on the card you're currently processing, all of the packets waiting on the 
> other cards will languish for at least that amount of time (unless you signal the caller when a packet is received on 
> another card, but even then you have to hope it was on the next card in your round robin).  Setting a low or 
> non-existent (non-blocking) timeout helps with this, but effectively ends up as a magnified version of the previous 
> overhead issue.
>
> Please take the above as constructive criticism/food for thought.  I'm really glad that people are building their own 
> DAQ modules and hope that they continue to do so.


Good stuff, cool ideas. I'll think about it. I've been monitoring the cards regularly for dropped traffic and so far 
haven't seen anything significant. I currently have 2Gbps (1.5G on one card and 500M on the other) load balanced across 
10 snort processes. Stats /look/ ok so far. Hopefully round-robin will suffice in the near term.

jeff

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel