PF_RING for Bro

Hi,

I am looking at increasing the performance of Bro by making use of PF_RING and TNAPI, at the kernel and driver level in Linux. These existing tools from http://www.ntop.org/news.php allow multi-threaded applications to drastically increase performance by making use of functionality that exists in several network cards today.

While PF_RING, TNAPI and other network-card functionality allow for phenomenal speed-up, they have to be tuned right or else they can lead to a negative effect on performance. So I'm trying to determine how to tune them to meet Bro's needs.

As Multi-threaded Bro is not ready yet, I am trying to think of a SIMPLE application that can best characterize the Bro workload. The design criteria that I have for this application so far is-

1. Send every packet belonging to a particular connection to the same core.
2. Introduce a small wait on every packet to simulate Bro's processing of that packet? What will be a good value?

I'd be very interested to have everyone's opinion on this. I really am looking for a very simple algorithm that will be a right approximation.

Thank you,
Sunjeet Singh

Alternatively, can I have the source code for multi-threaded Bro? : )

Sunjeet

(Note, I haven't caught up with the follow-up trehad yet).

1. Send every packet belonging to a particular connection to the same
core.
2. Introduce a small wait on every packet to simulate Bro's processing
of that packet? What will be a good value?

There probably isn't a good value.

I think I'd start with two things:

(1) Just doing nothing in the threads, and

(2) Accessing all the packets' bytes in some form within the
threads, perhaps by calculating a simple checksum.

That should give you a good baseline, including an approximation of
memory effects in (2).

It will be interesting to see the differece between (1) and (2), and
also between them and a pure software version (copy the packets from
a master thread to child threads "manually", as the current
prototype is doing).