How to run my DPDK application and Suricata simultaneously?

Help
1

Introduction:

My DPDK application processes all traffic on the NIC with PCI serial number 0000:08:00.3. I want to use Suricata to analyze the traffic on 0000:08:00.3 without affecting the normal operation of the DPDK application. Please help me, I would greatly appreciate it!

Suricata Version7.03
Operating systemCentos 7
installed SuricataSource
Error info

[root@localhost suricata-7.0.3]# sudo /usr/local/bin/suricata  --dpdk -v
Info: conf-yaml-loader: Configuration node 'copy-iface' redefined.
Notice: suricata: This is Suricata version 7.0.3 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 8
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: conf: Running in live mode, activating unix socket
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: detect: 1 rule files processed. 37006 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 37009 signatures processed. 1135 are IP-only rules, 4951 are inspecting packet payload, 30711 inspect application layer, 108 are decoder event only
EAL: Cannot create lock on '/var/run/dpdk/rte/config'. Is another primary process running?
EAL: FATAL: Cannot init config
EAL: Cannot init config
Error: dpdk: DPDK EAL initialization error: Operation not permitted

dpdk-devbind:

[root@localhost suricata-7.0.3]# dpdk-devbind --status

Network devices using DPDK-compatible driver
============================================
0000:03:00.0 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe
0000:03:00.1 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe
0000:03:00.2 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe
0000:03:00.3 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe
0000:08:00.0 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe
0000:08:00.1 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe
0000:08:00.2 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe
0000:08:00.3 'WX1860AL4 Gigabit Ethernet Controller 0107' drv=vfio-pci unused=ngbe

Config:

dpdk:
  eal-params:
    proc-type: primary
  interfaces:
    - interface: 0000:08:00.3 
      threads: 1
      promisc: true 
      multicast: true 
      checksum-checks: true 
      checksum-checks-offload: true
      mtu: 1500
2

Hi there,

DPDK doesn’t support reading by multiple apps from 1 interface natively.
You can put some extra application in between the port and the desired applications - e.g. OpenVSwitch - but that wouldn’t allow you to run the DPDK applications natively (probably). Otherwise, you could create a custom application to duplicate packets.

Maybe a more interesting solution would be to configure multiple Virtual Functions through SR-IOV and apply rte_flow rules for traffic duplication - it is possible to duplicate the traffic to multiple queues of one NIC, hopefully it could be possible to dup. traffic to multiple VFs. Not sure about the support of RTE_FLOW on your NIC though.

https://doc.dpdk.org/guides/prog_guide/switch_representation.html
https://doc.dpdk.org/guides/prog_guide/rte_flow.html

If you can duplicate the traffic before the NIC (to the other port of the NIC) it might be just the simplest solution. Btw EAL parameter file-prefix let’s you run multiple DPDK apps at the same time.