[Oisf-devel] Linux af-packet::mmap enhancement
Victor Julien
victor at inliniac.net
Thu Jun 23 14:58:58 UTC 2011
On 06/23/2011 04:41 PM, chetan loke wrote:
> On Thu, Jun 23, 2011 at 3:03 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 06/22/2011 08:30 PM, chetan loke wrote:
>>> Hello,
>>>
>>> I recently came across the suricata project. I haven't looked at the
>>> suricata code in detail and know nothing about the architecture. So if
>>> my email doesn't make sense then please ignore it.
>>
>> This certainly looks interesting to use in Suricata. We are currently
>> looking at adding AF_PACKET support, but we could use help.
>
> Oki, let me first finish spinning a kernel-rpm. Once that's done I will
> look into this.
>
> Also, if we want we can modify TPACKET_V3 header so that
> it is an exact replica of the libpcap format. That way we don't need
> to walk through
> the packets in user-space and normalize them. We will save a lot of
> cycles that way.
> More on this later when I get to the implementation.
Cool.
>> As you may
>> have seen on netdev David Miller is working on a cluster mode (FANOUT as
>> he calls it) for AF_PACKET, that looks very useful for us too.
>>
>
> Correct me if I'm wrong. But what this support means is, for exploiting FANOUT,
> one needs to open multiple af-packet sockets for a single monitoring interface?
Doesn't need to, but can. This way we have several CPU/core pinned
threads read packets from the same interface. We support this with
pfring's clusters and it's working very well for performance.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list