deri at ntop
Nov 11, 2009, 2:45 AM
Post #4 of 6
(1978 views)
Permalink
|
Hi Jeff
On 11/10/2009 10:56 PM, Jeff Harriss wrote:
> Thank you, Luca. Your read me helped me, and I was able to compile.
>
> The settings below work pretty well for me running snort w/some 13,000 rules @ 400 mbits/sec. I only drop around 5% at most.
>
>
> [root [at] hos] cat /proc/net/pf_ring/info
> PF_RING Version : 4.1.0 ($Revision: 3982 $)
> Ring slots : 4096
> Slot version : 10
> Capture TX : No [RX only]
> IP Defragment : No
> Transparent mode : No
> Total rings : 2
> Total plugins : 0
>
>
> [root [at] hos] /usr/src/pf_ring/PF_RING/kernel # ethtool -g eth2
> Ring parameters for eth2:
> Pre-set maximums:
> RX: 4096
> RX Mini: 0
> RX Jumbo: 0
> TX: 4096
> Current hardware settings:
> RX: 4096
> RX Mini: 0
> RX Jumbo: 0
> TX: 256
>
> [root [at] hos] /usr/src/pf_ring/PF_RING/kernel # ethtool -a eth2
> Pause parameters for eth2:
> Autonegotiate: off
> RX: off
> TX: off
>
> I have compiled you specialized igb driver and installed it.
>
> When I attempt to set transparent mode to 1 or 2 my drops suddenly sky rocket to around 20-30% and snort.stats shows a sudden increase in traffic rate ( about 75 mbit/sec more ). Something seems wrong with that.
>
> Is it possible that I am seeing more traffic when I set transparent mode to 1 or 2 that I am missing in transparent mode 0?
>
The answer is yes and I tell you why. How do you know that you have a
lost a packet?
You can loose packets
1 on the NIC (the NIC has received packets but there's no room on the
NIC's memory to save them)
root [at] chumb# ethtool -S eth0
NIC statistics:
rx_packets: 5593363
tx_packets: 1534521
rx_bytes: 1248344098
tx_bytes: 123654265
rx_errors: 37
tx_errors: 0
multicast: 95275
collisions: 8377
rx_length_errors: 0
rx_over_errors: 0
rx_crc_errors: 15
rx_frame_errors: 9
rx_fifo_errors: 0
rx_missed_errors: 0
tx_aborted_errors: 0
tx_carrier_errors: 1
tx_fifo_errors: 0
tx_window_errors: 0
tx_abort_exce_coll: 0
tx_abort_late_coll: 0
tx_deferred_ok: 8182
tx_single_coll_ok: 2101
tx_multi_coll_ok: 3138
tx_underun: 0
tx_trunc: 0
tx_pause: 0
rx_pause: 0
rx_rrd_ov: 0
rx_trunc: 0
So the total of XXXX_errors means that you have lost a packet on the NIC.
2 inside PF_RING (PF_RING has packets to push forward but snort is not
reading them fast enough, so new packets will be dropped)
root [at] chumb # cat /proc/net/pf_ring/13748-eth0.0
Bound Device : eth0
Slot Version : 10 [4.1.0]
Sampling Rate : 1
Appl. Name : pfcount
IP Defragment : No
BPF Filtering : Disabled
# Filt. Rules : 1
Cluster Id : 0
Channel Id : -1
Tot Slots : 4111
Bucket Len : 128
Slot Len : 242 [bucket+header]
Tot Memory : 995328
Tot Packets : 111
Tot Pkt Lost : 0 <<<<===== LOOK AT THIS
Tot Insert : 111
Tot Read : 4
Tot Fwd Ok : 0
Tot Fwd Errors : 0
Num Free Slots : 4004
3 inside snort
So the total number of packets lost is the *total* of these numbers. I
believe that moving to transparent 1/2 you pushed many more packets into
PF_RING hence you have seen the problem. But in this case with
transparent set to 0 you should see many more packets lost with ethtool.
Can you confirm this?
Cheers Luca
> Also, does anyone know of a good resource to learn about the tunable parameters of network cards?
>
> Jeff
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
|
