mCore: Running Suricata on DPDKPeter Cullen, Troy Hanson, Jordi Ros-Giralt, Sruthi Yellamraju, James Ezick, Alison Ryan, Erik Mogus, Richard Lethin

Reservoir Labs

What is mCore?● A vendor independent high-performance packet forwarding engine● Runs on any DPDK-capable NIC, leverages DPDK high-performance features● Forwards packets from the NIC to $N parallel applications, including Suricata

and Zeek● Suricata integration:

○ Utilizes multi-threaded workers for scalability○ Easy configuration through suricata.yaml○ Integrated with Suricata stats counters (packets, bytes, drops)

Base Architecture

High-Performance Optimizations

LongQE™ (Long queue emulation)

BQE™ (Lockless bimodal queues)

● Kernel bypass● Zero packet copy● Lockless data structures● Intelligent packet shunting

● NUMA affinity ● CPU/core affinity/pinning● Multi-core elastic scalability● Selective packet capture

Emulates forwarder, avoids compute and cache thrashing overhead

TailQE™ (Tail early dropping queue)

Upon congestion, prioritize packets that carry highest entropy

Lockless hash table: Negligible false positives,very low false negatives

Lockless algorithm to mutate from single-producer/no-consumer to single-producer/single-consumer queue.

● mCore controller: Inits, manages, terminates the forwarding engine

● mcore-net-util: User CLI● Plugins: Support for Zeek, Suricata, TAP● Can filter traffic using DPDK rte_flow

and BPF

Elephant (LFN) Tables™