klkbranch at hotmail
Jul 22, 2005, 1:17 PM
Post #1 of 1
(460 views)
Permalink
|
|
PF_RING captures no packets from bonded interfaces
|
|
Hi,
Many thanks to the developer and contributors to the PF_RING patch. I'm
quite impressed with it and hope to make real use of it in my environment.
I recently applied the PF_RING 3.0 patch to the 2.6.11.4 kernel from
kernel.org and then installed the patched kernel onto my Suse 9.3 NIDS
box. I was able to compile the patched libpcap and relink my suite of
packet capturing apps against it, and the tools were successfully
capturing packets until I tried them against a bonded interface. My box
has a quad port NIC (just 100Mbit) and two of those ports go to a
passive tap that sniffs the upstream and downstream traffic at a
specific point on my network. Those two interfaces ("dmza" and "dmzb")
are bonded together into an interface I call "dmz". With the standard
libpcap, sniffing bonded interfaces works like a charm, but with the
PF_RING-patched libpcap, I can run tcpdump against "dmza" or "dmzb" and
see packets go by, but if I try tcpdump against the "dmz" bonded
interface, I get zero packets captured every time.
Is there any hope for using PF_RING on bonded interfaces?
Here is the code that runs at boot time to bond my "dmza" and "dmzb"
interfaces into a single virtual "dmz" interface
modprobe bonding
ip link set dev dmz up
ifconfig dmz -arp promisc up
ifenslave dmz dmza dmzb
Here's what I get when I run tcpdump against the bonded interface
# tcpdump -i dmz
Open RING [fd=3]
RING (dmz):
tot_slots=8004/slot_len=131/insertIdx=0/remove_idx=0/dropped=0
tcpdump: WARNING: dmz: no IPv4 address assigned
pcap[setsockopt(0)]
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on dmz, link-type EN10MB (Ethernet), capture size 96 bytes
(nothing happens, so I hit ctrl-c)
RING: numPollCalls=1 [0.0 packets/call]
RING: [tot_pkts=0][tot_read=0][tot_lost=0]
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Thanks in advance for your thoughts,
Kevin
|
