Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

Transparent_mode=2 but stock tcpdump still working?

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


jvanick at oaknet

May 13, 2011, 7:33 AM

Post #1 of 6 (412 views)
Permalink
Transparent_mode=2 but stock tcpdump still working?
I'm stumped here.



I have installed pf_ring as well as the e1000 driver and have verified that
both of them are correctly getting loaded into the kernel (pf_ring first,
then e1000)



I have verified that the driver that's loaded for the e1000 card is actually
the the NAPI driver as provided by pf_ring.



The dilemma (not sure if it really is one or not )



Is that I'm loading pf_ring with transparent_mode=2



The pf-ring aware tcpdump is showing packets being received

-and-

The normal tcpdump that comes with centos is showing packets.



What gives? I was under the idea that in transparent mode 2, I'd only see
packets with the pf_ring aware tcpdump.



Any ideas or pointers of where I can look will be greatly appreciated.



Thank you in advance!

-J


c.d.wakelin at reading

May 13, 2011, 8:53 AM

Post #2 of 6 (403 views)
Permalink
Re: Transparent_mode=2 but stock tcpdump still working? [In reply to]
Is the stock tcpdump linking against the PF_RING libpcap? What does
"ldd" show? Do you get anything in /proc/net/pf_ring/eth<x>-<pid> when
the stock tcpdump is running?

Best Wishes,
Chris

On 13/05/11 15:33, Jason Vanick wrote:
> I'm stumped here.
>
>
>
> I have installed pf_ring as well as the e1000 driver and have verified that
> both of them are correctly getting loaded into the kernel (pf_ring first,
> then e1000)
>
>
>
> I have verified that the driver that's loaded for the e1000 card is actually
> the the NAPI driver as provided by pf_ring.
>
>
>
> The dilemma (not sure if it really is one or not )
>
>
>
> Is that I'm loading pf_ring with transparent_mode=2
>
>
>
> The pf-ring aware tcpdump is showing packets being received
>
> -and-
>
> The normal tcpdump that comes with centos is showing packets.
>
>
>
> What gives? I was under the idea that in transparent mode 2, I'd only see
> packets with the pf_ring aware tcpdump.
>
>
>
> Any ideas or pointers of where I can look will be greatly appreciated.
>
>
>
> Thank you in advance!
>
> -J
>
>
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


jvanick at oaknet

May 13, 2011, 9:04 AM

Post #3 of 6 (451 views)
Permalink
Re: Transparent_mode=2 but stock tcpdump still working? [In reply to]
When /usr/sbin/tcpdump is running:
[root [at] labsniffer0 pf_ring]# cat info
PF_RING Version : 4.6.3 ($Revision: exported$)
Ring slots : 4096
Slot version : 13
Capture TX : Yes [RX+TX]
IP Defragment : No
Transparent mode : No (mode 2)
Total rings : 0
Total plugins : 0

When the pf_ring tcpdump is running:
[root [at] labsniffer0 pf_ring]# cat info
PF_RING Version : 4.6.3 ($Revision: exported$)
Ring slots : 4096
Slot version : 13
Capture TX : Yes [RX+TX]
IP Defragment : No
Transparent mode : No (mode 2)
Total rings : 1
Total plugins : 0
[root [at] labsniffer0 pf_ring]#

Even weirder:

[root [at] labsniffer0 ~]# ldd /usr/sbin/tcpdump
linux-gate.so.1 => (0x001f6000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x06b2c000)
libc.so.6 => /lib/libc.so.6 (0x0099b000)
libdl.so.2 => /lib/libdl.so.2 (0x00af6000)
libz.so.1 => /usr/lib/libz.so.1 (0x00ba5000)
/lib/ld-linux.so.2 (0x00977000)
[root [at] labsniffer0 ~]#

[root [at] labsniffer0 tcpdump-4.1.1]# ldd ./tcpdump
linux-gate.so.1 => (0x0086f000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00afd000)
libc.so.6 => /lib/libc.so.6 (0x0099b000)
/lib/ld-linux.so.2 (0x00977000)
[root [at] labsniffer0 tcpdump-4.1.1]#

I don't even see it linking pf_ring or even pcap in???

--Jason

-----Original Message-----
From: ntop-misc-bounces [at] listgateway
[mailto:ntop-misc-bounces [at] listgateway] On Behalf Of Chris Wakelin
Sent: Friday, May 13, 2011 10:53 AM
To: ntop-misc [at] listgateway
Subject: Re: [Ntop-misc] Transparent_mode=2 but stock tcpdump still working?

Is the stock tcpdump linking against the PF_RING libpcap? What does
"ldd" show? Do you get anything in /proc/net/pf_ring/eth<x>-<pid> when
the stock tcpdump is running?

Best Wishes,
Chris

On 13/05/11 15:33, Jason Vanick wrote:
> I'm stumped here.
>
>
>
> I have installed pf_ring as well as the e1000 driver and have verified
that
> both of them are correctly getting loaded into the kernel (pf_ring first,
> then e1000)
>
>
>
> I have verified that the driver that's loaded for the e1000 card is
actually
> the the NAPI driver as provided by pf_ring.
>
>
>
> The dilemma (not sure if it really is one or not )
>
>
>
> Is that I'm loading pf_ring with transparent_mode=2
>
>
>
> The pf-ring aware tcpdump is showing packets being received
>
> -and-
>
> The normal tcpdump that comes with centos is showing packets.
>
>
>
> What gives? I was under the idea that in transparent mode 2, I'd only see
> packets with the pf_ring aware tcpdump.
>
>
>
> Any ideas or pointers of where I can look will be greatly appreciated.
>
>
>
> Thank you in advance!
>
> -J
>
>
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 13, 2011, 9:10 AM

Post #4 of 6 (406 views)
Permalink
Re: Transparent_mode=2 but stock tcpdump still working? [In reply to]
Looks like they're statically linked, then. I guess it was worth a try :)

(You can spot a binary with PF_RING statically linked in using "strings"
and looking for things like "PCAP_NO_PF_RING".)

The only other thing I can think of is you're picking up different
ethernet interfaces (are you specifying "-i" in both cases?)

Best Wishes,
Chris

On 13/05/11 17:04, Jason Vanick wrote:
>
> I don't even see it linking pf_ring or even pcap in???
>
> --Jason
>
> -----Original Message-----
> From: ntop-misc-bounces [at] listgateway
> [mailto:ntop-misc-bounces [at] listgateway] On Behalf Of Chris Wakelin
> Sent: Friday, May 13, 2011 10:53 AM
> To: ntop-misc [at] listgateway
> Subject: Re: [Ntop-misc] Transparent_mode=2 but stock tcpdump still working?
>
> Is the stock tcpdump linking against the PF_RING libpcap? What does
> "ldd" show? Do you get anything in /proc/net/pf_ring/eth<x>-<pid> when
> the stock tcpdump is running?
>
> Best Wishes,
> Chris
>


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 13, 2011, 9:31 AM

Post #5 of 6 (403 views)
Permalink
Re: Transparent_mode=2 but stock tcpdump still working? [In reply to]
Hi all
the transparent mode diverts all packets to PF_RING only, if and only if, you have a PF_RING enabled application running when/simultaneously you start your non-PF_RING tcpdump. Is this your case?

Regards Luca


On May 13, 2011, at 6:10 PM, Chris Wakelin wrote:

> Looks like they're statically linked, then. I guess it was worth a try :)
>
> (You can spot a binary with PF_RING statically linked in using "strings"
> and looking for things like "PCAP_NO_PF_RING".)
>
> The only other thing I can think of is you're picking up different
> ethernet interfaces (are you specifying "-i" in both cases?)
>
> Best Wishes,
> Chris
>
> On 13/05/11 17:04, Jason Vanick wrote:
>>
>> I don't even see it linking pf_ring or even pcap in???
>>
>> --Jason
>>
>> -----Original Message-----
>> From: ntop-misc-bounces [at] listgateway
>> [mailto:ntop-misc-bounces [at] listgateway] On Behalf Of Chris Wakelin
>> Sent: Friday, May 13, 2011 10:53 AM
>> To: ntop-misc [at] listgateway
>> Subject: Re: [Ntop-misc] Transparent_mode=2 but stock tcpdump still working?
>>
>> Is the stock tcpdump linking against the PF_RING libpcap? What does
>> "ldd" show? Do you get anything in /proc/net/pf_ring/eth<x>-<pid> when
>> the stock tcpdump is running?
>>
>> Best Wishes,
>> Chris
>>
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

---
We can't solve problems by using the same kind of thinking we used when we created them - Albert Einstein

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


jvanick at oaknet

May 16, 2011, 6:55 AM

Post #6 of 6 (400 views)
Permalink
Re: Transparent_mode=2 but stock tcpdump still working? [In reply to]
Cool, that works perfectly,

I was just trying to verify functionality by running the 2 different apps...
separately.

Never thought to run it simultaneously...

We're perfect now...

Thank you so much for the description of the blocking nature of pf_ring,
that's exactly what I needed to know.

-J

-----Original Message-----
From: ntop-misc-bounces [at] listgateway
[mailto:ntop-misc-bounces [at] listgateway] On Behalf Of Luca Deri
Sent: Friday, May 13, 2011 11:31 AM
To: ntop-misc [at] listgateway
Subject: Re: [Ntop-misc] Transparent_mode=2 but stock tcpdump still working?

Hi all
the transparent mode diverts all packets to PF_RING only, if and only if,
you have a PF_RING enabled application running when/simultaneously you start
your non-PF_RING tcpdump. Is this your case?

Regards Luca


On May 13, 2011, at 6:10 PM, Chris Wakelin wrote:

> Looks like they're statically linked, then. I guess it was worth a try :)
>
> (You can spot a binary with PF_RING statically linked in using "strings"
> and looking for things like "PCAP_NO_PF_RING".)
>
> The only other thing I can think of is you're picking up different
> ethernet interfaces (are you specifying "-i" in both cases?)
>
> Best Wishes,
> Chris
>
> On 13/05/11 17:04, Jason Vanick wrote:
>>
>> I don't even see it linking pf_ring or even pcap in???
>>
>> --Jason
>>
>> -----Original Message-----
>> From: ntop-misc-bounces [at] listgateway
>> [mailto:ntop-misc-bounces [at] listgateway] On Behalf Of Chris
Wakelin
>> Sent: Friday, May 13, 2011 10:53 AM
>> To: ntop-misc [at] listgateway
>> Subject: Re: [Ntop-misc] Transparent_mode=2 but stock tcpdump still
working?
>>
>> Is the stock tcpdump linking against the PF_RING libpcap? What does
>> "ldd" show? Do you get anything in /proc/net/pf_ring/eth<x>-<pid> when
>> the stock tcpdump is running?
>>
>> Best Wishes,
>> Chris
>>
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

---
We can't solve problems by using the same kind of thinking we used when we
created them - Albert Einstein

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.