Hi everybody,
quick question: is the bro-myricon plugin (by Seth) still necessary when using myricom nics with Zeek? I know with pf_ring this is not the case anymore since bro can be directly linked to a modified pf_ring libpcap and I was wondering if this is the case for myricom too.
Thanks,
Mauro
There are some advantages to using the Myricom plugin directly. Generally in my opinion I've been trying to avoid libpcap wrappers for quite a few years now because of various quality issues associated with several of them that I've experienced. There tends to be API functionality that you don't have an opportunity to take advantage of with a pcap wrapper too.
To some degree this is personal preference though.
.Seth
Hi Seth,
thanks for your prompt reply.
Looking at the myricom software API, I see that they have both a libpcap wrapper and more advanced functionalities in snf.h. Not all source code is open, however, and I am not sure which functionalities are implemented in the libpcap wrappers. In your plugin you are using snf_open to open the NIC device. I would like to open a Myricom NIC with both aggregation and load_balancing, i.e.
int flags = SNF_F_PSHARED;
flags |= SNF_F_AGGREGATE_PORTMASK;
struct snf_rss_params rssp;
rssp.mode = SNF_RSS_FLAGS;
rssp.params.rss_flags = SNF_RSS_IP | SNF_RSS_SRC_PORT | SNF_RSS_DST_PORT;
rc = snf_open(portnum, 2, &rssp, dataring_sz, flags, &hsnf);
but I am not sure this works. Did someone ever try it? Myricom documentation is a bit ambiguous on this point...
Mauro
-----Messaggio originale-----
A few years ago I found a bug in the snfv3 shipped libpcap where pcap_next would return the previous packet when no packets were available instead of returning NULL. As far as I know it’s still not fixed.
Hah! I feel like I've seen little problems in every libpcap wrapper I've ever worked with. Never the same problem. 
.Seth
Is anyone aware of other bugs in libpcap? I think this is valuable information to share to the community...
Mauro
-----Messaggio originale-----
Libpcap also makes (with some capture technologies) two calls per packet - one to get the packet and another to get the time stamp. That kills the performance.
When I was developing the early version of the myricom Zeek plugin, I didn’t really notice much, of any, performance improvement.
Btw you can use upstream libpcap and build it yourself against SNF. But why. Get the plugin. It’s easier.
If there are some missing pieces in the plugin I ought be able to help. We not longer have myricoms in production but I keep them in stage servers, for the community 
I wasn't referring to bugs in libpcap. It's the libpcap wrappers (which typically aren't libpcap, but rather reimplementations of some or all of the libpcap api).
.Seth
Sure, sorry I wrote too quickly. What I meant is if someone is aware of other bugs in other libpcap wrappers.
Mauro
-----Messaggio originale-----
Ahh, it's a little hard to track these bugs because they tend to come and go without much documentation because vendors will just fix them in their SDKs and not make a big deal about it.
.Seth