I have a system connected to a SPAN port which pumps out a near-constant 10Gbps of raw network traffic. My main objective is to observe all DHCP traffic with zero loss, but I also need to be able to observe the (acceptably lossy) stream of non-DHCP traffic. The native interface is currently dropping about %0.25 of all traffic as-is.
To get this working I'm envisioning the following:
- Inbound SPAN traffic comes in on a single interface which prioritizes DHCP above all else
- Traffic is routed to two virtual interfaces based on if it is DHCP (port 67/68) or not
The code that I'm using to process/analyze the traffic can be run in parallel, and each instance can watch a different interface. The biggest unknown for me is that it uses PF_RING. I am not overly familiar with PF_RING, and have not been able to tell if it is preventing the tc-based filtering from working as I expect.
I've attempted to get this working via tc, but am struggling to get it to work as expected. I used the following sequence of commands, where br0 is the original input interface:
ip link add dummy0 type dummy
ip link set dummy0 up
# Create the ingress queue discipline
tc qdisc add dev br0 handle ffff: ingress
# Setup the filters to mirror UDP traffic to dummy0
tc filter add dev br0 parent ffff: protocol ip u32 match ip dport 67 0x00ff action mirred egress redirect dev dummy0
tc filter add dev br0 parent ffff: protocol ip u32 match ip dport 68 0x00ff action mirred egress redirect dev dummy0
tc filter add dev br0 parent ffff: protocol ip u32 match ip sport 67 0x00ff action mirred egress redirect dev dummy0
tc filter add dev br0 parent ffff: protocol ip u32 match ip sport 68 0x00ff action mirred egress redirect dev dummy0
This seems to get DHCP traffic mirrored to a virtual interface (dummy0) on a test VM which is not running PF_RING, but when I try the same on my full system it produces erratic results (I get non-DHCP things on the dummy0 interface, and it looks like I'm missing DHCP traffic as well). I also have not been able to get DHCP-based prioritization working on the input interface, which I think is just my lack of understanding of the tc PRIO commandset.