Re: [dpdk-dev] [Snort-devel] 答复: A mutithreaded DPDK DAQ Module for Snort 3.0

Re: [dpdk-dev] [Snort-devel] 答复: A mutithreaded DPDK DAQ Module for Snort 3.0

[Zhu, Heqing]

Nacht:

what about to submit the dpdk patch to DPDK.org?  It is a good piece of work, it will make sense to avoid the extra patch whenever possible.  We will review this patch by the mailing list.

From: Nacht Z [mailto:NachtZ@outlook.com]
Sent: Friday, September 16, 2016 10:56 AM
To: snort-devel@lists.sourceforge.net
Subject: [Snort-devel] 答复: A mutithreaded DPDK DAQ Module for Snort 3.0


I have made three patch for DPDK-16.04<https://github.com/NachtZ/daq_dpdk/blob/master/dpdk.patch>, DAQ-2.1.0<https://github.com/NachtZ/daq_dpdk/blob/master/daq.patch> and Snort-3.0.0-a4-201-auto<https://github.com/NachtZ/daq_dpdk/blob/master/snort.patch> now.
Patch dpdk.patch to dpdk and then install dpdk.
Patch daq.patch to daq and then install daq.
For snort, we need to first ./configure and then patch snort.patch to snort path and then install snort.

The case you said is what I haven’t considered. I’ll try to solve this problem.

________________________________
发件人: Michael Altizer <mialtize@cisco.com<mailto:mialtize@cisco.com>>
发送时间: 2016年9月15日 22:49:34
收件人: snort-devel@lists.sourceforge.net<mailto:snort-devel@lists.sourceforge.net>
主题: Re: [Snort-devel] A mutithreaded DPDK DAQ Module for Snort 3.0

Thanks, NachtZ - this looks like a great start to a multi-threaded DPDK DAQ module.  It might be better if you were to offer it as a standalone DAQ module for the time being (see https://github.com/Xiche/daq_odp for an example).

Just a warning for anyone trying to just pick this up and use it: like NachtZ said, each packet thread will only receive packets from a single interface.  This means that Snort inspection will be generally ineffectual in an inline scenario as any given packet thread will only be looking at one direction of the traffic and be fairly confused when it comes to bidirectional protocols (say, TCP).

On 09/13/2016 10:18 AM, Nacht Z wrote:

Hello Everyone:

I have implemented a multithreaded DPDK DAQ module for daq 2.10 and snort 3.0. Here is the project link in github:DPDK_DAQ<https://github.com/NachtZ/daq_dpdk>.
The link is a complete daq-2.1.0 project and a guide about how to install and use the mode in snort 3.0.
This module supports multithread and have changed relationship between snort3.0’s pigs(infact that’s thread’s another name in snort3.0) and NICs. A pig
can only have one NIC in dpdk module. So if you want to run muti-nics, you should use -z option in snort3. If not, you can only use one nic in fact.
I have also test the performance by using Spirent Test Center. I linked the snort and Test Center like this:

 Spirent Port0   <-------------->   Snort Port2

      ↑                                  ↑

      |                                  |

      |                                  |

      ↓                                  ↓

 Spirent Port1   <-------------->   Snort Port3

I send packets from the port0 to port2 and port1 to port3. The snort(run inline mode and with bps mode ‘not ip’) forward the flows as the link port2 -> port3-> port1 and port3->port2->port0 at the
same time. In my 82599ES, I can run nealy full speed(99%) in 10G LAN mode without losing packets.(But when I run 100 speed it will lose 4445/500000000 packets.)

This project is based on daq_netmap.c module and Tiwei Bie’s project<https://sourceforge.net/p/snort/mailman/message/35162409/>.

Any comments would be appreciated. Thanks a lot!
Best wishes
NachtZ




------------------------------------------------------------------------------




_______________________________________________

Snort-devel mailing list

Snort-devel@lists.sourceforge.net<mailto:Snort-devel@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel



Please visit http://blog.snort.org for the latest news about Snort!