Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Dev

daq-pfring set application name patch

  

 
NTop dev RSS feed   Index | Next | Previous | View Threaded


vpiserchia at gmail

Jul 24, 2012, 8:16 AM

Post #1 of 7 (290 views)
Permalink
daq-pfring set application name patch
Hi,

pls consider the following little patch that sets the application name
in the daq_pfring module:


Index: daq_pfring.c
===================================================================
--- daq_pfring.c (revision 5595)
+++ daq_pfring.c (working copy)
@@ -95,6 +95,7 @@
char *device = context->devices[id];
int pfring_rc;
pfring *ring_handle;
+ char buf[32];

if(!device) {
DPE(context->errbuf, "%s", "PF_RING a device must be specified");
@@ -149,6 +150,14 @@
pfring_close(ring_handle);
return -1;
}
+
+ snprintf(buf, sizeof(buf), "snort-cluster-%d-thread-%d",
context->clusterids[id], id);
+ pfring_set_application_name(ring_handle, buf);
+
+ } else {
+ snprintf(buf, sizeof(buf), "snort");
+ pfring_set_application_name(ring_handle, buf);
+
}

pfring_set_poll_watermark(ring_handle, context->watermark);


regards
vito Piserchia
_______________________________________________
Ntop-dev mailing list
Ntop-dev [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-dev


cardigliano at ntop

Jul 24, 2012, 8:42 AM

Post #2 of 7 (277 views)
Permalink
Re: daq-pfring set application name patch [In reply to]
available in svn, thank you

Alfredo

On Jul 24, 2012, at 5:16 PM, vpiserchia [at] gmail wrote:

> Hi,
>
> pls consider the following little patch that sets the application name
> in the daq_pfring module:
>
>
> Index: daq_pfring.c
> ===================================================================
> --- daq_pfring.c (revision 5595)
> +++ daq_pfring.c (working copy)
> @@ -95,6 +95,7 @@
> char *device = context->devices[id];
> int pfring_rc;
> pfring *ring_handle;
> + char buf[32];
>
> if(!device) {
> DPE(context->errbuf, "%s", "PF_RING a device must be specified");
> @@ -149,6 +150,14 @@
> pfring_close(ring_handle);
> return -1;
> }
> +
> + snprintf(buf, sizeof(buf), "snort-cluster-%d-thread-%d",
> context->clusterids[id], id);
> + pfring_set_application_name(ring_handle, buf);
> +
> + } else {
> + snprintf(buf, sizeof(buf), "snort");
> + pfring_set_application_name(ring_handle, buf);
> +
> }
>
> pfring_set_poll_watermark(ring_handle, context->watermark);
>
>
> regards
> vito Piserchia
> _______________________________________________
> Ntop-dev mailing list
> Ntop-dev [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-dev

_______________________________________________
Ntop-dev mailing list
Ntop-dev [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-dev


c.d.wakelin at reading

Jul 24, 2012, 9:01 AM

Post #3 of 7 (284 views)
Permalink
Re: daq-pfring set application name patch [In reply to]
Funnily enough, I'd just done something similar for libpcap:

--- pcap-linux.c.orig 2012-07-11 22:26:50.140614153 +0100
+++ pcap-linux.c 2012-07-24 11:32:29.546820579 +0100
@@ -1165,6 +1165,7 @@
/* Code courtesy of Chris Wakelin <c.d.wakelin [at] reading> */
char *clusterId;
int flags = 0;
+ char *appname;

if(handle->opt.promisc) flags |= PF_RING_PROMISC;
if(getenv("PCAP_PF_RING_DNA_RSS")) flags |=
PF_RING_DNA_SYMMETRIC_RSS;
@@ -1179,6 +1180,10 @@
else
pfring_set_cluster(handle->ring, atoi(clusterId),
cluster_round_robin);

+ if(appname = getenv("PCAP_PF_RING_APPNAME"))
+ if(strlen(appname) > 0 && strlen(appname) <= 32)
+ pfring_set_application_name(handle->ring, appname);
+
pfring_set_poll_watermark(handle->ring, 1 /* watermark */);
handle->ring->dna.dna_rx_sync_watermark = 0; /* trick
(otherwise tshark wouldn't work with DNA) */
} else

though it might make sense to try and get the appname from the
commandline or thread name if none is specified otherwise.

I then found it doesn't seem to work with DNA clusters (at least in
PF_RING 5.4.4). I spent a while scratching my head and then realised
that Suricata wasn't managing to set the name either and it was calling
pfring_set_application_name() directly.

On a related note, with DNA clusters, I can't make sense of the device
names in /proc/net/pfring/<pid>-<interface>.nnn; For my DNA cluster
dnacluster:1 (using dna0 as the source) I've got some appearing as
<pid>-dna0.nnn and others as <pid>-dna1.nnn with pfdnacluster_master
itself appearing as expected as <pid>-dna0.nnn

Is this expected behaviour?

Best Wishes,
Chris

On 24/07/12 16:42, Alfredo Cardigliano wrote:
> available in svn, thank you
>
> Alfredo
>
> On Jul 24, 2012, at 5:16 PM, vpiserchia [at] gmail wrote:
>
>> Hi,
>>
>> pls consider the following little patch that sets the application name
>> in the daq_pfring module:
>>
>>

--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-dev mailing list
Ntop-dev [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-dev


cardigliano at ntop

Jul 24, 2012, 9:09 AM

Post #4 of 7 (276 views)
Permalink
Re: daq-pfring set application name patch [In reply to]
Chris
thank you also for your patch

On Jul 24, 2012, at 6:01 PM, Chris Wakelin wrote:

> Funnily enough, I'd just done something similar for libpcap:
>
> --- pcap-linux.c.orig 2012-07-11 22:26:50.140614153 +0100
> +++ pcap-linux.c 2012-07-24 11:32:29.546820579 +0100
> @@ -1165,6 +1165,7 @@
> /* Code courtesy of Chris Wakelin <c.d.wakelin [at] reading> */
> char *clusterId;
> int flags = 0;
> + char *appname;
>
> if(handle->opt.promisc) flags |= PF_RING_PROMISC;
> if(getenv("PCAP_PF_RING_DNA_RSS")) flags |=
> PF_RING_DNA_SYMMETRIC_RSS;
> @@ -1179,6 +1180,10 @@
> else
> pfring_set_cluster(handle->ring, atoi(clusterId),
> cluster_round_robin);
>
> + if(appname = getenv("PCAP_PF_RING_APPNAME"))
> + if(strlen(appname) > 0 && strlen(appname) <= 32)
> + pfring_set_application_name(handle->ring, appname);
> +
> pfring_set_poll_watermark(handle->ring, 1 /* watermark */);
> handle->ring->dna.dna_rx_sync_watermark = 0; /* trick
> (otherwise tshark wouldn't work with DNA) */
> } else
>
> though it might make sense to try and get the appname from the
> commandline or thread name if none is specified otherwise.
>
> I then found it doesn't seem to work with DNA clusters (at least in
> PF_RING 5.4.4). I spent a while scratching my head and then realised
> that Suricata wasn't managing to set the name either and it was calling
> pfring_set_application_name() directly.
>
> On a related note, with DNA clusters, I can't make sense of the device
> names in /proc/net/pfring/<pid>-<interface>.nnn; For my DNA cluster
> dnacluster:1 (using dna0 as the source) I've got some appearing as
> <pid>-dna0.nnn and others as <pid>-dna1.nnn with pfdnacluster_master
> itself appearing as expected as <pid>-dna0.nnn
>
> Is this expected behavior?

This is going to our TODO queue, I will check also it. Thanks.

Alfredo

>
> Best Wishes,
> Chris
>
> On 24/07/12 16:42, Alfredo Cardigliano wrote:
>> available in svn, thank you
>>
>> Alfredo
>>
>> On Jul 24, 2012, at 5:16 PM, vpiserchia [at] gmail wrote:
>>
>>> Hi,
>>>
>>> pls consider the following little patch that sets the application name
>>> in the daq_pfring module:
>>>
>>>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-dev mailing list
> Ntop-dev [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-dev

_______________________________________________
Ntop-dev mailing list
Ntop-dev [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-dev


cardigliano at ntop

Jul 24, 2012, 9:09 AM

Post #5 of 7 (276 views)
Permalink
Re: daq-pfring set application name patch [In reply to]
Chris
thank you also for your patch

On Jul 24, 2012, at 6:01 PM, Chris Wakelin wrote:

> Funnily enough, I'd just done something similar for libpcap:
>
> --- pcap-linux.c.orig 2012-07-11 22:26:50.140614153 +0100
> +++ pcap-linux.c 2012-07-24 11:32:29.546820579 +0100
> @@ -1165,6 +1165,7 @@
> /* Code courtesy of Chris Wakelin <c.d.wakelin [at] reading> */
> char *clusterId;
> int flags = 0;
> + char *appname;
>
> if(handle->opt.promisc) flags |= PF_RING_PROMISC;
> if(getenv("PCAP_PF_RING_DNA_RSS")) flags |=
> PF_RING_DNA_SYMMETRIC_RSS;
> @@ -1179,6 +1180,10 @@
> else
> pfring_set_cluster(handle->ring, atoi(clusterId),
> cluster_round_robin);
>
> + if(appname = getenv("PCAP_PF_RING_APPNAME"))
> + if(strlen(appname) > 0 && strlen(appname) <= 32)
> + pfring_set_application_name(handle->ring, appname);
> +
> pfring_set_poll_watermark(handle->ring, 1 /* watermark */);
> handle->ring->dna.dna_rx_sync_watermark = 0; /* trick
> (otherwise tshark wouldn't work with DNA) */
> } else
>
> though it might make sense to try and get the appname from the
> commandline or thread name if none is specified otherwise.
>
> I then found it doesn't seem to work with DNA clusters (at least in
> PF_RING 5.4.4). I spent a while scratching my head and then realised
> that Suricata wasn't managing to set the name either and it was calling
> pfring_set_application_name() directly.
>
> On a related note, with DNA clusters, I can't make sense of the device
> names in /proc/net/pfring/<pid>-<interface>.nnn; For my DNA cluster
> dnacluster:1 (using dna0 as the source) I've got some appearing as
> <pid>-dna0.nnn and others as <pid>-dna1.nnn with pfdnacluster_master
> itself appearing as expected as <pid>-dna0.nnn
>
> Is this expected behavior?

This is going to our TODO queue, I will check also it. Thanks.

Alfredo

>
> Best Wishes,
> Chris
>
> On 24/07/12 16:42, Alfredo Cardigliano wrote:
>> available in svn, thank you
>>
>> Alfredo
>>
>> On Jul 24, 2012, at 5:16 PM, vpiserchia [at] gmail wrote:
>>
>>> Hi,
>>>
>>> pls consider the following little patch that sets the application name
>>> in the daq_pfring module:
>>>
>>>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-dev mailing list
> Ntop-dev [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-dev

_______________________________________________
Ntop-dev mailing list
Ntop-dev [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-dev


cardigliano at ntop

Aug 5, 2012, 4:44 AM

Post #6 of 7 (224 views)
Permalink
Re: daq-pfring set application name patch [In reply to]
Chris
application name and proc device name with DNA clusters have been fixed, please update from svn.

Regards
Alfredo

On Jul 24, 2012, at 6:09 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:

> Chris
> thank you also for your patch
>
> On Jul 24, 2012, at 6:01 PM, Chris Wakelin wrote:
>
>> Funnily enough, I'd just done something similar for libpcap:
>>
>> --- pcap-linux.c.orig 2012-07-11 22:26:50.140614153 +0100
>> +++ pcap-linux.c 2012-07-24 11:32:29.546820579 +0100
>> @@ -1165,6 +1165,7 @@
>> /* Code courtesy of Chris Wakelin <c.d.wakelin [at] reading> */
>> char *clusterId;
>> int flags = 0;
>> + char *appname;
>>
>> if(handle->opt.promisc) flags |= PF_RING_PROMISC;
>> if(getenv("PCAP_PF_RING_DNA_RSS")) flags |=
>> PF_RING_DNA_SYMMETRIC_RSS;
>> @@ -1179,6 +1180,10 @@
>> else
>> pfring_set_cluster(handle->ring, atoi(clusterId),
>> cluster_round_robin);
>>
>> + if(appname = getenv("PCAP_PF_RING_APPNAME"))
>> + if(strlen(appname) > 0 && strlen(appname) <= 32)
>> + pfring_set_application_name(handle->ring, appname);
>> +
>> pfring_set_poll_watermark(handle->ring, 1 /* watermark */);
>> handle->ring->dna.dna_rx_sync_watermark = 0; /* trick
>> (otherwise tshark wouldn't work with DNA) */
>> } else
>>
>> though it might make sense to try and get the appname from the
>> commandline or thread name if none is specified otherwise.
>>
>> I then found it doesn't seem to work with DNA clusters (at least in
>> PF_RING 5.4.4). I spent a while scratching my head and then realised
>> that Suricata wasn't managing to set the name either and it was calling
>> pfring_set_application_name() directly.
>>
>> On a related note, with DNA clusters, I can't make sense of the device
>> names in /proc/net/pfring/<pid>-<interface>.nnn; For my DNA cluster
>> dnacluster:1 (using dna0 as the source) I've got some appearing as
>> <pid>-dna0.nnn and others as <pid>-dna1.nnn with pfdnacluster_master
>> itself appearing as expected as <pid>-dna0.nnn
>>
>> Is this expected behavior?
>
> This is going to our TODO queue, I will check also it. Thanks.
>
> Alfredo
>
>>
>> Best Wishes,
>> Chris
>>
>> On 24/07/12 16:42, Alfredo Cardigliano wrote:
>>> available in svn, thank you
>>>
>>> Alfredo
>>>
>>> On Jul 24, 2012, at 5:16 PM, vpiserchia [at] gmail wrote:
>>>
>>>> Hi,
>>>>
>>>> pls consider the following little patch that sets the application name
>>>> in the daq_pfring module:
>>>>
>>>>
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin, c.d.wakelin [at] reading
>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Ntop-dev mailing list
>> Ntop-dev [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-dev
>

_______________________________________________
Ntop-dev mailing list
Ntop-dev [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-dev


cardigliano at ntop

Aug 5, 2012, 4:44 AM

Post #7 of 7 (222 views)
Permalink
Re: daq-pfring set application name patch [In reply to]
Chris
application name and proc device name with DNA clusters have been fixed, please update from svn.

Regards
Alfredo

On Jul 24, 2012, at 6:09 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:

> Chris
> thank you also for your patch
>
> On Jul 24, 2012, at 6:01 PM, Chris Wakelin wrote:
>
>> Funnily enough, I'd just done something similar for libpcap:
>>
>> --- pcap-linux.c.orig 2012-07-11 22:26:50.140614153 +0100
>> +++ pcap-linux.c 2012-07-24 11:32:29.546820579 +0100
>> @@ -1165,6 +1165,7 @@
>> /* Code courtesy of Chris Wakelin <c.d.wakelin [at] reading> */
>> char *clusterId;
>> int flags = 0;
>> + char *appname;
>>
>> if(handle->opt.promisc) flags |= PF_RING_PROMISC;
>> if(getenv("PCAP_PF_RING_DNA_RSS")) flags |=
>> PF_RING_DNA_SYMMETRIC_RSS;
>> @@ -1179,6 +1180,10 @@
>> else
>> pfring_set_cluster(handle->ring, atoi(clusterId),
>> cluster_round_robin);
>>
>> + if(appname = getenv("PCAP_PF_RING_APPNAME"))
>> + if(strlen(appname) > 0 && strlen(appname) <= 32)
>> + pfring_set_application_name(handle->ring, appname);
>> +
>> pfring_set_poll_watermark(handle->ring, 1 /* watermark */);
>> handle->ring->dna.dna_rx_sync_watermark = 0; /* trick
>> (otherwise tshark wouldn't work with DNA) */
>> } else
>>
>> though it might make sense to try and get the appname from the
>> commandline or thread name if none is specified otherwise.
>>
>> I then found it doesn't seem to work with DNA clusters (at least in
>> PF_RING 5.4.4). I spent a while scratching my head and then realised
>> that Suricata wasn't managing to set the name either and it was calling
>> pfring_set_application_name() directly.
>>
>> On a related note, with DNA clusters, I can't make sense of the device
>> names in /proc/net/pfring/<pid>-<interface>.nnn; For my DNA cluster
>> dnacluster:1 (using dna0 as the source) I've got some appearing as
>> <pid>-dna0.nnn and others as <pid>-dna1.nnn with pfdnacluster_master
>> itself appearing as expected as <pid>-dna0.nnn
>>
>> Is this expected behavior?
>
> This is going to our TODO queue, I will check also it. Thanks.
>
> Alfredo
>
>>
>> Best Wishes,
>> Chris
>>
>> On 24/07/12 16:42, Alfredo Cardigliano wrote:
>>> available in svn, thank you
>>>
>>> Alfredo
>>>
>>> On Jul 24, 2012, at 5:16 PM, vpiserchia [at] gmail wrote:
>>>
>>>> Hi,
>>>>
>>>> pls consider the following little patch that sets the application name
>>>> in the daq_pfring module:
>>>>
>>>>
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin, c.d.wakelin [at] reading
>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Ntop-dev mailing list
>> Ntop-dev [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-dev
>

_______________________________________________
Ntop-dev mailing list
Ntop-dev [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-dev

NTop dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.