Hi Pavel for 10 Gbit line-rate you definitely need ZC, you can use hw RSS for spreading load across multiple instances of your application or custom software distribution (using for instance zbalance_ipc).
For packet parsing you can use pfring_parse_pkt(), according to what you need you should call: pfring_parse_pkt(pkt /* u_char* */, &hdr /* struct pfring_pkthdr* */, 3 /* up to L3 */, 0 /* no timestamp */, 0 /* no hash */); Alfredo > On 23 Oct 2014, at 20:00, Pavel Odintsov <[email protected]> wrote: > > Hello, folks! > > I'm working on OSS solution for DDoS detection > (https://github.com/FastVPSEestiOu/fastnetmon) and passed through hard > way of: pcap, ulog2, pf_ring. > > I'm really amazed PF_RING and I can analyze streams up to 2 million > packets per second on really slow hw (i7 2600 with Intel 82599). > > But my final target - provide monitoring ability on wire rate 10GBps > and 14Mpps. I tried to use plain pf_ring, multichannel pf_ring and > start thinking about ZC.... > > Maybe somebody can recommend best and fastest approach for my task? I > need small amount of packet headers (src/dst ip, src/dst port, > protocol). For extracting data I surely need some sort of packets > parser. > > Fastest solution which I did now is multichannel pf_ring with 8 > threads for collection data. But I can process only up to 2-3 MPPS and > after this I got completely overloaded system: > https://www.dropbox.com/s/m2ywqgwul8ka7ww/htoppng.png?dl=0 > > Is it possible to process more packets on non-zc PF_RING or I should > go to ZC mode? :( > > -- > Sincerely yours, Pavel Odintsov > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
