[Oisf-devel] Linux af-packet::mmap enhancement

[chetan loke]

On Thu, Jun 23, 2011 at 3:03 AM, Victor Julien <victor at inliniac.net> wrote:
> On 06/22/2011 08:30 PM, chetan loke wrote:
>> Hello,
>>
>> I recently came across the suricata project. I haven't looked at the
>> suricata code in detail and know nothing about the architecture. So if
>> my email doesn't make sense then please ignore it.
>
> This certainly looks interesting to use in Suricata. We are currently
> looking at adding AF_PACKET support, but we could use help.

Oki, let me first finish spinning a kernel-rpm. Once that's done I will
look into this.

Also, if we want we can modify TPACKET_V3 header so that
it is an exact replica of the libpcap format. That way we don't need
to walk through
the packets in user-space and normalize them. We will save a lot of
cycles that way.
More on this later when I get to the implementation.

> As you may
> have seen on netdev David Miller is working on a cluster mode (FANOUT as
> he calls it) for AF_PACKET, that looks very useful for us too.
>

Correct me if I'm wrong. But what this support means is, for exploiting FANOUT,
one needs to open multiple af-packet sockets for a single monitoring interface?


>>
>>
>> 1) kernel patch - based on net-next.
>>
>> http://marc.info/?l=linux-netdev&m=130870868502003&w=3
>> http://marc.info/?l=linux-kernel&m=130870870702028&w=3
>> http://marc.info/?l=linux-netdev&m=130870873902061&w=3
>
> I see you got no replies to it. On list anyway.
>

Well, kernel folks also want to avoid 'merge' and 'run' cases.
But another good thing is that no one (yet) said - 'Hell no, this
logic is insane' ;)

>>
>> 2) Sample user space C code:
>> git://lolpcap.git.sourceforge.net/gitroot/lolpcap/lolpcap
>>
>
> Personally I won't have the cycles to look into this any time soon, but
> would welcome help :)
>

I will definitely try to look into this once the kernel-rpm is out.

> Cheers,
> Victor
>

regards
Chetan Loke