Hi All,
I tried to install Zeek on my FreeBSD server with netmap support.
But VirtIO Ethernet driver is not working properly, there are performance problems that should be solved in the latest Netmap release, ref to:

https://reviews.freebsd.org/D17916

Unfortunately the bro-netmap plugin does not work with that.
It seems that Zeek is unusable in FreeBSD env, the developments of the bro-netmap plugin are closed and it is impossible to parallelize network traffic on multiple zeek workers.
Does anyone know if updates are currently planned?
Or if someone using this plugin with the Netmap last version?
Or, finally, are there other BSD loadbalancing solutions ?
Thank y’all

Anthon

We’re using FreeBSD with Zeek with Myricom cards and their custom driver to parallelize. We had to pester ARIA a bit for current 11 and 12 builds but they produced them and are working fine.

Some questions to get started:
Which version of FreeBSD are you using?
Which network card are you using?

The biggest issue is parity between the netmap and FreeBSD source
trees, you really need to run FreeBSD-CURRENT to ensure you have all
of the latest changes. There were some issues in the past that
affected even Intel network cards from working correctly, so the types
of cards you are using are very important.

I pushed to get the netmap tools added to the source tree, so you can
build "lb" from the following location and use it:
/usr/src/tools/tools/netmap/lb.c

I am updating a FreeBSD system to see if this still builds correctly
as I have not used LB in a while.

Hi Michael,
I’m using FreeBSD 12.1 and Zeek 3.0.5 (ver. 3.0.6 available in ports has compilation problems), with 2 NICs without ip, em0 and vtnet1 (em0 is Intel e1000) but the problem is that zeek plugin is not updated. (API mismatch)

#ifconfig
vtnet1: flags = 8802 <BROADCAST, SIMPLEX, MULTICAST> metric 0 mtu 1500
options = c00b8 <VLAN_MTU, VLAN_HWTAGGING, JUMBO_MTU, VLAN_HWCSUM, VLAN_HWTSO, link-state routing protocol>
ether something
media: Ethernet 10Gbase-T
status: active
nd6 options = 29 <PERFORMNUD, IFDISABLED, AUTO_LINKLOCAL>

em0: flags = 8802 <BROADCAST, SIMPLEX, MULTICAST> metric 0 mtu 1500
options = 812,098 <VLAN_MTU, VLAN_HWTAGGING, VLAN_HWCSUM, WOL_MAGIC, VLAN_HWFILTER>
ether something
media: Ethernet autoselect (1000baseT )
status: active
nd6 options = 29 <PERFORMNUD, IFDISABLED, AUTO_LINKLOCAL>

on zeekctl start

starting workers …
Error: worker-1-1 terminated immediately after starting; check output with “diag”
Error: worker-1-2 terminated immediately after starting; check output with “diag”

#in dmesg
173.973686 [376] netmap_ioctl_legacy Minimum supported API is 14 (requested 11)
173.973712 [376] netmap_ioctl_legacy Minimum supported API is 14 (requested 11)

#from zeekctl diag
Zeek 3.0.5
FreeBSD 12.1-RELEASE

Zeek plugins:
Bro :: Netmap - Packet acquisition via Netmap (dynamic, version 1.0.0)

==== stderr.log
292.768100 nm_open [920] NIOCREGIF failed: Invalid argument vtnet1} 1
fatal error: problem with interface netmap :: vtnet1} 1 (Invalid argument)

The netmap tools in kernel sources seems ok, lb start and the network interface switch in netmap mode.
I think the latest working version of plugin is compatible with netmap release available in FreeBSD 11.2, but there are performance issues with vtnets.
Also tcpreplay doesn’t work when i try to send traffic in netmap mode to a NIC sniffed by zeek (in FBSD 11.2)

Thanks,
Anthon

I had a user error on my part, the following if run from a FreeBSD
CURRENT system with the kernel source will build the tools and you can
use them for packet brokering:

cd /usr/src/tools/tools/netmap
make all

The binaries will be located here:
/usr/obj/usr/src/amd64.amd64/tools/tools/netmap

then you can run LB to setup the packet brokering, in this case just
two pipes setup on em0.
./lb -i em0 -p ids:2 -o 1
143.318741 main [588] interface is em0
143.529856 main [702] successfully opened netmap:em0 (tx rings: 1024)
143.529865 main [774] opening pipe named netmap:ids{0/xT@1
143.530027 nm_mmap [990] do not mmap, inherit from parent
143.530037 main [789] successfully opened pipe #1 netmap:ids{0/xT@1
(tx slots: 1024)
143.530039 main [794] zerocopy enabled
143.530042 main [774] opening pipe named netmap:ids{1/xT@1
143.530131 nm_mmap [990] do not mmap, inherit from parent
143.530137 main [789] successfully opened pipe #2 netmap:ids{1/xT@1
(tx slots: 1024)
143.530140 main [794] zerocopy enabled

Now to see about the netmap plugin working.

Now to see about the netmap plugin working.

Someone recently made a copy of it with updates to work on zeek:

It's hard to tell what changed since it doesn't have the old repo as a
starting point, but it doesn't look like much more than the bro ->
zeek bits.