[Oisf-users] Suricata with PF_RING on latest git

Martin Holste mcholste at gmail.com
Fri Jul 6 14:36:57 UTC 2012


One thing to watch out for when using PF_RING in transparent_mode=0
across multiple applications is the BPF.  They (at least back in
PF_RING 5.1) had to have identical BPF otherwise one app would see
packets and another wouldn't.

I think that PF_RING is the way to go right now because it still
offers the best performance, especially folks who can flip over to
DNA, etc.  If your app is running PF_RING and dropping packets, it's
the app's fault, never PF_RING, and %si time is very low.  However, I
don't have experience with the latest AF_PACKET, so if someone has any
stats on recent AF_PACKET vs PF_RING, I'm sure there would be a lot of
very interested readers.  I didn't find anything on a quick Google.
My gut says that PF_RING is still going to be much faster, because
Luca's worked on it for years and the AF_PACKET fan-out implementation
is still fairly new.

On Fri, Jul 6, 2012 at 6:18 AM, Doug Burks <doug.burks at gmail.com> wrote:
> I'm currently working on rebuilding my Security Onion distro on Ubuntu
> 12.04 64-bit and am looking at pfring vs afpacket, so this is a very
> interesting discussion.  I like the simplicity of Suricata's afpacket
> fanout support, but since we also run Bro, we'd have to do pfring
> anyway.  And since we have non-pfring applications (like daemonlogger)
> and have to support as many NICs as possible, we'd be using pfring
> transparent_mode 0.  So given all that, should we go with pfring for
> Suricata, or is there some advantage to using afpacket in this
> scenario?
> Thanks,
> Doug
> On Fri, Jul 6, 2012 at 4:21 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 07/06/2012 10:17 AM, Anoop Saldanha wrote:
>>>>> And I can verify, if you run pfring, it wont die if you dont send
>>>>> >> packets.
>>>> >
>>>> > Yeah, no packets, no shutdown. Blame pfring :)
>>>> >
>>> Maybe wait for 'x' seconds an if it hasn't shutdown as yet, inject a
>>> packet to trigger shutdown.
>> That would be injecting on the wire, and then even account for the
>> number of reader threads and the various cluster options. Way too
>> complicated IMO.
>> I think Luca was working on a timeout feature at some point, not sure
>> what the status is.
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> --
> Doug Burks
> http://securityonion.blogspot.com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list