[Oisf-users] Suricata with PF_RING on latest git

Doug Burks doug.burks at gmail.com
Fri Jul 6 15:12:15 UTC 2012


Interesting, that BPF issue is definitely a potential gotcha for us.
Does anybody know if this is still an issue with newer versions of
pfring?

Thanks,
Doug

On Fri, Jul 6, 2012 at 10:36 AM, Martin Holste <mcholste at gmail.com> wrote:
> Doug,
>
> One thing to watch out for when using PF_RING in transparent_mode=0
> across multiple applications is the BPF.  They (at least back in
> PF_RING 5.1) had to have identical BPF otherwise one app would see
> packets and another wouldn't.
>
> I think that PF_RING is the way to go right now because it still
> offers the best performance, especially folks who can flip over to
> DNA, etc.  If your app is running PF_RING and dropping packets, it's
> the app's fault, never PF_RING, and %si time is very low.  However, I
> don't have experience with the latest AF_PACKET, so if someone has any
> stats on recent AF_PACKET vs PF_RING, I'm sure there would be a lot of
> very interested readers.  I didn't find anything on a quick Google.
> My gut says that PF_RING is still going to be much faster, because
> Luca's worked on it for years and the AF_PACKET fan-out implementation
> is still fairly new.
>
> On Fri, Jul 6, 2012 at 6:18 AM, Doug Burks <doug.burks at gmail.com> wrote:
>> I'm currently working on rebuilding my Security Onion distro on Ubuntu
>> 12.04 64-bit and am looking at pfring vs afpacket, so this is a very
>> interesting discussion.  I like the simplicity of Suricata's afpacket
>> fanout support, but since we also run Bro, we'd have to do pfring
>> anyway.  And since we have non-pfring applications (like daemonlogger)
>> and have to support as many NICs as possible, we'd be using pfring
>> transparent_mode 0.  So given all that, should we go with pfring for
>> Suricata, or is there some advantage to using afpacket in this
>> scenario?
>>
>> Thanks,
>> Doug
>>
>> On Fri, Jul 6, 2012 at 4:21 AM, Victor Julien <victor at inliniac.net> wrote:
>>> On 07/06/2012 10:17 AM, Anoop Saldanha wrote:
>>>>>> And I can verify, if you run pfring, it wont die if you dont send
>>>>>> >> packets.
>>>>> >
>>>>> > Yeah, no packets, no shutdown. Blame pfring :)
>>>>> >
>>>> Maybe wait for 'x' seconds an if it hasn't shutdown as yet, inject a
>>>> packet to trigger shutdown.
>>>>
>>>
>>> That would be injecting on the wire, and then even account for the
>>> number of reader threads and the various cluster options. Way too
>>> complicated IMO.
>>>
>>> I think Luca was working on a timeout feature at some point, not sure
>>> what the status is.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>>
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>>
>> --
>> Doug Burks
>> http://securityonion.blogspot.com
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



-- 
Doug Burks
http://securityonion.blogspot.com



More information about the Oisf-users mailing list