deri at ntop
Sep 27, 2011, 12:59 AM
Post #5 of 7
Re: pfring aware applications do not reveive pkts from non-pfring NICS
[In reply to]
as follow up to your email can you please confirm if the DNA problem you reported is still present in PF_RING 5.1? If so, what hardware platform do you use?
On Sep 27, 2011, at 9:56 AM, Alfredo Cardigliano wrote:
> see inline
> On Sep 26, 2011, at 8:48 PM, Enrico Papi wrote:
>> we are not setting any BPF filter in snort config
>> consider my previous post without that snort output error.
>> our problem shows up doing the following steps:
>> compile the tcpdump included in the pf_ring tar with libpcap-1.1.1-pf_ring support
>> start sniffing with that tcpdump on an interface not pf_ring aware after loading pf_ring module in trasparent mode = 1
>> results: you do not see any packets
>> is it normal? can you try it?
> Yes, it is normal.
> When PF_RING is in transparent_mode=1,2, it expects to receive packets directly from the NIC, and does *not* listen for packets coming from the linux stack.
>> you can reproduce the same problem (no packets received) using a pf_ring aware snort with daq PCAP (not daq pfring) on a non pf_ring nic.
>> in both those cases libpfring should not be used as i am not sniffing on a pfring nic but on a standard nic and i should see packets since i am simply using tcpdump on a standard nic.
>> for now i have solved in the following way:
>> use snort daq pfring for all snort instances (even on the NICs not pfring aware) -- is it correct? why it works ???
>> use a tcpdump version compiled using libpcap-pfring library but without -lpf_ring flag -- why it works ???
>> a further question:
>> can i put pf_ring in transparent mode=2 and use pf_ring aware applications also for standard NICS?
> No, with vanilla drivers you have to use transparent_mode=0
> Best regards
>> for example, in the same enviroment described in the previous post, it would mean using snort with daq pfring on the intel NIC and the same snort binary with daq pcap on the Chelsio T4.
>> accordingly to what happens now in my system i would not see the packets flowing in the Chelsio......
>> about DNA igb driver:
>> i have to say that we have done simply a test and we do not intend to use dna features.
>> you can reproduce the problem doing:
>> compile pf_ring kernel mod, compile libpfing with dna support, compile libpcap-pfiring, compile tcpdump with libpcap-pfring support
>> load pfring module in trasparent_mode = 2 , no tx mode, quickmode=1
>> compile and load igb 3.x DNA driver
>> start sniffing with tcpdump like this #tcpdump -i dna0
>> SYSTEM HANGS.....(i do not have trace file)
>> the system spec are the same of the prev. post.
>> On 09/26/2011 12:33 PM, Enrico Papi wrote:
>>> the libpfring library is not able to set BPF filters as they fall into the libpcap domain, not PF_RING. MY colleague Alfredo is working at a fix for it that will be out later this week, so you won't have to wait too long.
>>> Can you please let us know how to reproduce the DNA issues?
>>> Regards Luca
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
> Ntop-misc mailing list
> Ntop-misc [at] listgateway