Clustered AF_PACKET support

Description

Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration.

Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required.

Environment

None

Activity

Show:
Kris Nielander
October 2, 2015, 6:44 AM

I believe the conditions for it to work depend a little bit too much on libpcap. I would suggest removing it in favor of a separate af_packet plugin, but do leave the pcap buffer patch in place.

Jan Grashoefer
October 2, 2015, 7:18 AM

@Robin: You are right. I have already started writing the AF_PACKET plugin for Bro and I can update my broctl patch as well.

Robin Sommer
October 2, 2015, 2:54 PM

Ok, I'l remove. Looking forward to the plugin!

Michał Purzyński
October 2, 2015, 3:03 PM

Yes, please remove the change and just leave the configurable buffer if you can.

Going through libpcap which might or might not work taught us to write a packet source plugin instead, which won't depend on anything and less code is always nice.

Always nice to learn something.

Robin Sommer
December 18, 2015, 7:31 PM

This has already been removed for a while, closing.

Merged

Assignee

Robin Sommer

Reporter

Michał Purzyński

Labels

None

External issue ID

None

Components

Affects versions

Priority

Normal
Configure