Bro’s current code for getting packets from libpcap needs an overhaul. It’s in pretty bad shape right now: (1) the main packet loop still works around problems with non-blocking mode in older libpcap/OS versions; I would hope that’s not necessary anymore. (2), we don’t have a nice interface for using other packet sources than libpcap; we need an abstraction there. And finally (3), if we got an interface in to exploit further NIC-level or OS-level features, like load-balancing, that would be pretty cool.
The task here is designing and implementing an abstracted interface for packet aquisition inside Bro that allows for easy integration of a variety of sources, plugin-style. libpcap would still be the primary source, but there’s also AF_PACKET, Endac’e DAG interface, etc. There are existing efforts that we might be able to leverage here (e.g., libdaq).
We can further integrate abstractions for dynamic control and response. Work has already progressed on a “reaction framework” for Bro which provides the scripting layer with a set of primitives to control traffic (e.g., drop a connection/host from analysis; terminate communication for a connection/host, etc.). We’ll need a way to tell the underlying packet handling about such decisions.
All this should also consider the different features that NIC and other frontend hardware offers, or maybe offering in the future. This includes a set of new OS-level interfaces to things like load-balacing; and hardware capabilities of, e.g., OpenFlow routers and APIs of devices like cPacket frontends.