Any idea if this will be supported? I can not find any reference in the past year indicating this one way or another.
I am not aware of anyone currently working on this.
Since Bro supports plugins for iosources, this could be added by anyone as
a plugin (which would even be installable using bro-pkg).
Johanna
Any idea if this will be supported? I can not find any reference in the
past year indicating this one way or another.
From what I've read so far (e.g.,
DPDK and the new pdump framework for packet capture), I wouldn't expect
major performance boosts. Therefore I am curios: Where so you see the
benefits of using dpdk?
Jan
> Any idea if this will be supported? I can not find any reference in the
> past year indicating this one way or another.>From what I've read so far (e.g.,
DPDK and the new pdump framework for packet capture), I wouldn't expect
major performance boosts. Therefore I am curios: Where so you see the
benefits of using dpdk?
I believe there would be some benefits in the ability to run high-speed
packet capture in VMs or Containers that are hosted on a cloud management
system (CMS). The world of NFV and service function chaining (which
encompasses IDSs such as Bro) often relies on DPDK applications.
Many of the CMS providers (e.g. Openstack, Kubernetes, etc) rely on
DPDK-enabled vSwitches such as OVS and VPP for accelerated packet
distribution. A DPDK-enabled Bro would be able to take advantage of
bypassing the VM kernel as well as reading the packets directly from the
vSwitches shared memory (some possible security concerns there).
A brief overview of how this would work with openvswitch is at [1].
Other potential benefits areas for the virtual space are when using SR-IOV,
which have different drivers (ixgbevf & i40evf) that aren't widely
supported by zero-copy technologies (NOTE: netmap has recently included
support for ixgbevf, and packet-bricks may be able to read from virtio
devices and fanout, but I haven't tested yet).
I don't know that these benefits are enough to justify the amount of
development work it would take to implement and maintain a DPDK packet
acquisition plugin. Just throwing out an answer to the question. 
[1]
https://software.intel.com/en-us/articles/configure-vhost-user-multiqueue-for-ovs-with-dpdk
.
~Ed
Hi Ed,
thanks a lot for your detailed explanation!
I believe there would be some benefits in the ability to run high-speed
packet capture in VMs or Containers that are hosted on a cloud management
system (CMS). The world of NFV and service function chaining (which
encompasses IDSs such as Bro) often relies on DPDK applications.
With virtualization in mind, using DPDK for packet acquisition seems to
make sense.
I don't know that these benefits are enough to justify the amount of
development work it would take to implement and maintain a DPDK packet
acquisition plugin. Just throwing out an answer to the question.
At least it is worth a POC I think
Jan
DPDK enable apps are apparently something that can be built on FreeBSD, just need the port as recommended by Intel.
I have not been able to play with this, but it would be nice to have options in addition to netmap for fast packet acquisition on FreeBSD.