0

I want to capture ip traffic at a linux machine based on the following bpf filter:

ether[45]=0x11 and ether[68]=0x34

Incoming traffic is around 20Gbps and the filter discards 95% of the traffic. As my linux machine gets overloaded, I want to put a hardware filter in front of it.

Can someone suggest a solution? Can a cisco router provide such functionality?

nkout
  • 101

1 Answers1

0
  1. There's net.core.bpf_jit_enable, have you tried enabling it?
  2. There's U32 which I guess could also be used for the purpose of your task.
poige
  • 9,448
  • 2
  • 25
  • 52
  • 1. I don't want to filter on kernel as it overloads my server 2. what is U32 except for submarine? – nkout Feb 28 '13 at 16:33
  • [U32](http://www.lartc.org/howto/lartc.adv-filter.html#LARTC.ADV-FILTER.U32) is a classifier used by `tc`. It lets you match against arbitrary bit patterns in a packet in the kernel, usually for routing purposes or to mark them for later handling by `iptables`. – James Sneeringer Feb 28 '13 at 17:26
  • @JamesSneeringer, don't bother — he doesn't want it to be software (read it would "load his server"), instead he prefers some kind of transistor based circuit built exclusively for that task. ;-P – poige Feb 28 '13 at 17:38
  • It could probably be done with a custom Cisco NBAR definition, since it does allow matching of arbitrary bits in a packet, and some Cisco platforms do NBAR in hardware. You'd match the NBAR definition in a class-map, and then handle (probably drop) non-matching packets in a policy-map. However, I don't know if NBAR can meet the requirement of multiple matches in the same packet. I've never done it before, so I don't feel comfortable submitting it as an actual answer. – James Sneeringer Feb 28 '13 at 19:31