PF_PACKET load balancing

Albert_Zaharovits · June 26, 2015, 8:04am

Hello,

I am experimenting with several OpenSource IDS on Linux.
My concern is load balancing across mmap-ed packet rings.
Some of them have AF_PACKET socket load balancing (Suricata) while others don’t, and rely on PF_RING (Bro).
When I say load balancing I mean PACKET_FANOUT sock option.

The following setup looks like a silver bullet for me:
You compile them (the IDS) with the latest version of pcap, and use pcap filters to achieve load balancing.

Am I missing something?

Best,
Albert

Seth_Hall3 · June 26, 2015, 3:01pm

I’ve actually implemented BPF filters for load balancing before and it’s not good. You end up having to implement the modulus operator in BPF (yes, it’s possible) but then that expensive filter ends up being executed for each separate process. A user tested it on a large network and the result was bad.

.Seth

Topic		Replies	Views
af_packet vs pfring Zeek	2	89	May 6, 2022
Is PF_RING much better than AF packet plugin? Zeek	1	466	May 6, 2022
PF_Ring plugin Issue Zeek	3	90	May 6, 2022
Bad load balancing with PF_RING cluster Zeek	2	249	July 8, 2022
zbalance_ipc and Zeek Zeek	3	162	May 6, 2022

PF_PACKET load balancing

Related Topics