BPF in hardware

[Livio Ricciulli <livio () metanetworks org>]

Hi, I was thinking of contributing some code to libpcap for
interfacing to the MTP PCI cards
(http://www.metanetworks.org/products/mtp.html).

These newly developed Ethernet cards can perform packet matching at 1G
(and soon 10G) wire-speed before they DMA the packets through the PCI
bus to the host. This allows eliminating the uninteresting packets at
the wire thus making the PCI/OS/applications deal only with the
packets specified by the user. Today, the MTP cards are being used in
Snort-like applications but I think that they would also be useful in
the more generic high-speed packet matching functions offered by
libpcap.

The idea is to automatically translate the BPF expressions passed to
libpcap into MTP macrocode and load it into the card on the fly
___in_addition_to___ the normal BPF software matching.  The presence
of the MTP interface can be easily detected at runtime making this
possibly completely transparent to the user. Also, no changes are
necessary from the OS side of things since the matched packets are
received as if they were coming from a regular NIC in promiscuous
mode..

1) What's the best way to do this from a coding architecture point of
view? Any suggestions where to put the code? Add the entry of the
MTP-specific code in pcap_compile?

2) The cards can do unanchored string search in the payloads; it would
be possible to add new primitives for content (ala Snort) in a BPF
expression. Would people use it? Why don't you do it already in
software?

Thanks,

Livio.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.