Suricata using dpdk and running other software like zeek at the same time

what are the options when you are using suricata using dpdk and want to run something like zeek also on the same inline network traffic at the same time? Anyone seen any solutions around this? does surricata provide any support for mirroring traffic for example so other security apps can also review the traffic?


There are a couple of options depending on what your needs (deployment, performance) are.

  • Napatech – probably the most performant but also not cheap solution. Suricata and Zeek can be configured to use the same Napatech streams for packet ingress
  • AF_PACKET - available in Linux

But is it the case that i can’t use AF_PACKET for zeek if the interface is used by dpdk (suricata)? dpdk takes over the kernel interface.

@lukashino will be able to comment on whether DPDK permits resource sharing (network packet streams).

I apologize for the confusing response.

Hi duda,

while I haven’t explored this area properly here are some of my insights:

  • one of the easiest solutions might be actually using a second port and enabling port mirroring on the switch (if the environment and requirements allow it)
  • for software-based solutions, the whole application stack needs to run on DPDK. If it is ok then I would explore:
    • VPP and memif - there was somebody in the community who experimented with this, I think it might be a viable option.
    • OpenVSwitch - it runs on DPDK but it doesn’t seem to distribute the traffic directly to DPDK apps - so probably not an option.
    • DPDK ring virtual device: I think this could be quite well oriented on the performance though you would lose some advanced management capabilities. This allows you to connect two applications together with a ring buffer. I would probably first test the idea with 2 instances of testpmd applications and only move forward if it would be actually working. More experimental approach. In the solution, the intermediate applications could be running in an inline mode and hand packets to each other. The last application would then be the “sink”, freeing the incoming packets back to the device mempool.

Here is the link to the discussion I mentioned:

thanks for these suggestions, i’ll review and try them.