On Tue, Dec 01, 2015 at 10:31:02AM -0500, Aaron Conole wrote: > The benefit is no dependancy on kernel modules (just TUN/TAP support). I > don't have a way of signaling sampling, so right now, it's just drinking > from the firehose.
This is actually quite a good idea. Many years ago I coded up a simple connector between DPDK and TAP devices for use with some legacy applications that did not support DPDK. I could definitely connect the output of user-space bpfjit to a TAP device quite easily. I am somewhat less clear on how to connect tcpdump or other standard libpcap based entities up, so that one could change the capture filters or other settings from outside the DPDK application. I am hoping some of the network API experts can comment on this since I'm just a security specialist. How are you letting people configure the capture filter in this scenario? Matthew.
