Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

PF_RING hardware filter with snort

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


40312 at studenti

Mar 18, 2012, 1:50 AM

Post #1 of 7 (489 views)
Permalink
PF_RING hardware filter with snort
I'm kind of a spammer lately :), however it doesn't seem hardware filtering
is working here on Intel 82599.

I'm using the pfring daq, with 2-tuple cluster_mode.

The driver is loaded with RSS=0,0,0,0 FdirMode=2,2,2,2 FdirPballoc=3,3,3,3

[38621.801241] ixgbe: Receive-Side Scaling (RSS) set to 0
[38621.801245] ixgbe: Flow Director filtering mode set to 2
[38621.801248] ixgbe: 0000:06:00.0: ixgbe_check_options: Flow Director
perfect filtering enabled
[38621.801251] ixgbe: Flow Director packet buffer allocation set to 3
[38621.801254] ixgbe: 0000:06:00.0: ixgbe_check_options: Flow Director will
be allocated 256kB of packet buffer
[38621.801257] ixgbe: 0000:06:00.0: ixgbe_check_options: FCoE Offload
feature enabled
[38621.801303] ixgbe 0000:06:00.0: (unregistered net_device): FCoE offload
feature is not available. Disabling FCoE offload feature
[38621.825602] ixgbe 0000:06:00.0: irq 80 for MSI/MSI-X
[38621.825609] ixgbe 0000:06:00.0: irq 81 for MSI/MSI-X
[38621.827133] ixgbe 0000:06:00.0: (PCI Express:5.0GT/s:Width x8)
xxxxxxxxxxxxxxxxxx
[38621.827466] ixgbe 0000:06:00.0: eth2: MAC: 2, PHY: 2, PBA No: G21371-003
[38621.827469] ixgbe 0000:06:00.0: eth2: Enabled Features: RxQ: 1 TxQ: 1
FdirPerfect RSC
[38621.827548] ixgbe 0000:06:00.0: eth2: Intel(R) 10 Gigabit Network
Connection
[38621.827584] ixgbe 0000:06:00.1: PCI INT A -> GSI 38 (level, low) -> IRQ
38
[38621.827596] ixgbe 0000:06:00.1: setting latency timer to 64
[38622.216534] ixgbe: Receive-Side Scaling (RSS) set to 0
[38622.216539] ixgbe: Flow Director filtering mode set to 2
[38622.216542] ixgbe: 0000:06:00.1: ixgbe_check_options: Flow Director
perfect filtering enabled
[38622.216545] ixgbe: Flow Director packet buffer allocation set to 3
[38622.216548] ixgbe: 0000:06:00.1: ixgbe_check_options: Flow Director will
be allocated 256kB of packet buffer
[38622.216551] ixgbe: 0000:06:00.1: ixgbe_check_options: FCoE Offload
feature enabled
[38622.216598] ixgbe 0000:06:00.1: (unregistered net_device): FCoE offload
feature is not available. Disabling FCoE offload feature
[38622.240926] ixgbe 0000:06:00.1: irq 82 for MSI/MSI-X
[38622.240933] ixgbe 0000:06:00.1: irq 83 for MSI/MSI-X
[38622.242488] ixgbe 0000:06:00.1: (PCI Express:5.0GT/s:Width x8)
xxxxxxxxxxxxxxxx
[38622.242821] ixgbe 0000:06:00.1: eth3: MAC: 2, PHY: 2, PBA No: G21371-003
[38622.242824] ixgbe 0000:06:00.1: eth3: Enabled Features: RxQ: 1 TxQ: 1
FdirPerfect RSC
[38622.242904] ixgbe 0000:06:00.1: eth3: Intel(R) 10 Gigabit Network
Connection
[38622.246866] ixgbe 0000:06:00.0: eth2: changing MTU from 1500 to 9000
[38625.369956] ixgbe 0000:06:00.0: eth2: NIC Link is Up 1 Gbps, Flow
Control: None


however # grep 'Filt' *eth2*
7989-eth2.2:BPF Filtering : Disabled
7989-eth2.2:# Sw Filt. Rules : 1756
7989-eth2.2:# Hw Filt. Rules : 0
7991-eth2.1:BPF Filtering : Disabled
7991-eth2.1:# Sw Filt. Rules : 3188
7991-eth2.1:# Hw Filt. Rules : 0
7993-eth2.7:BPF Filtering : Disabled
7993-eth2.7:# Sw Filt. Rules : 2248
7993-eth2.7:# Hw Filt. Rules : 0
7995-eth2.4:BPF Filtering : Disabled
7995-eth2.4:# Sw Filt. Rules : 1102
7995-eth2.4:# Hw Filt. Rules : 0
7997-eth2.8:BPF Filtering : Disabled
7997-eth2.8:# Sw Filt. Rules : 1563
7997-eth2.8:# Hw Filt. Rules : 0
7999-eth2.3:BPF Filtering : Disabled
7999-eth2.3:# Sw Filt. Rules : 1344
7999-eth2.3:# Hw Filt. Rules : 0
8001-eth2.6:BPF Filtering : Disabled
8001-eth2.6:# Sw Filt. Rules : 1306
8001-eth2.6:# Hw Filt. Rules : 0
8003-eth2.5:BPF Filtering : Disabled
8003-eth2.5:# Sw Filt. Rules : 1245
8003-eth2.5:# Hw Filt. Rules : 0

I'd expect having "Hw filt rules" greater than 0. Or maybe it doesn't work
that way


deri at ntop

Mar 18, 2012, 5:47 AM

Post #2 of 7 (460 views)
Permalink
Re: PF_RING hardware filter with snort [In reply to]
How do you set filters?

Luca

Sent from my iPad (sorry for typos)

On 18/mar/2012, at 09:50, Alessandro Guido <40312 [at] studenti> wrote:

> I'm kind of a spammer lately :), however it doesn't seem hardware filtering is working here on Intel 82599.
>
> I'm using the pfring daq, with 2-tuple cluster_mode.
>
> The driver is loaded with RSS=0,0,0,0 FdirMode=2,2,2,2 FdirPballoc=3,3,3,3
>
> [38621.801241] ixgbe: Receive-Side Scaling (RSS) set to 0
> [38621.801245] ixgbe: Flow Director filtering mode set to 2
> [38621.801248] ixgbe: 0000:06:00.0: ixgbe_check_options: Flow Director perfect filtering enabled
> [38621.801251] ixgbe: Flow Director packet buffer allocation set to 3
> [38621.801254] ixgbe: 0000:06:00.0: ixgbe_check_options: Flow Director will be allocated 256kB of packet buffer
> [38621.801257] ixgbe: 0000:06:00.0: ixgbe_check_options: FCoE Offload feature enabled
> [38621.801303] ixgbe 0000:06:00.0: (unregistered net_device): FCoE offload feature is not available. Disabling FCoE offload feature
> [38621.825602] ixgbe 0000:06:00.0: irq 80 for MSI/MSI-X
> [38621.825609] ixgbe 0000:06:00.0: irq 81 for MSI/MSI-X
> [38621.827133] ixgbe 0000:06:00.0: (PCI Express:5.0GT/s:Width x8) xxxxxxxxxxxxxxxxxx
> [38621.827466] ixgbe 0000:06:00.0: eth2: MAC: 2, PHY: 2, PBA No: G21371-003
> [38621.827469] ixgbe 0000:06:00.0: eth2: Enabled Features: RxQ: 1 TxQ: 1 FdirPerfect RSC
> [38621.827548] ixgbe 0000:06:00.0: eth2: Intel(R) 10 Gigabit Network Connection
> [38621.827584] ixgbe 0000:06:00.1: PCI INT A -> GSI 38 (level, low) -> IRQ 38
> [38621.827596] ixgbe 0000:06:00.1: setting latency timer to 64
> [38622.216534] ixgbe: Receive-Side Scaling (RSS) set to 0
> [38622.216539] ixgbe: Flow Director filtering mode set to 2
> [38622.216542] ixgbe: 0000:06:00.1: ixgbe_check_options: Flow Director perfect filtering enabled
> [38622.216545] ixgbe: Flow Director packet buffer allocation set to 3
> [38622.216548] ixgbe: 0000:06:00.1: ixgbe_check_options: Flow Director will be allocated 256kB of packet buffer
> [38622.216551] ixgbe: 0000:06:00.1: ixgbe_check_options: FCoE Offload feature enabled
> [38622.216598] ixgbe 0000:06:00.1: (unregistered net_device): FCoE offload feature is not available. Disabling FCoE offload feature
> [38622.240926] ixgbe 0000:06:00.1: irq 82 for MSI/MSI-X
> [38622.240933] ixgbe 0000:06:00.1: irq 83 for MSI/MSI-X
> [38622.242488] ixgbe 0000:06:00.1: (PCI Express:5.0GT/s:Width x8) xxxxxxxxxxxxxxxx
> [38622.242821] ixgbe 0000:06:00.1: eth3: MAC: 2, PHY: 2, PBA No: G21371-003
> [38622.242824] ixgbe 0000:06:00.1: eth3: Enabled Features: RxQ: 1 TxQ: 1 FdirPerfect RSC
> [38622.242904] ixgbe 0000:06:00.1: eth3: Intel(R) 10 Gigabit Network Connection
> [38622.246866] ixgbe 0000:06:00.0: eth2: changing MTU from 1500 to 9000
> [38625.369956] ixgbe 0000:06:00.0: eth2: NIC Link is Up 1 Gbps, Flow Control: None
>
>
> however # grep 'Filt' *eth2*
> 7989-eth2.2:BPF Filtering : Disabled
> 7989-eth2.2:# Sw Filt. Rules : 1756
> 7989-eth2.2:# Hw Filt. Rules : 0
> 7991-eth2.1:BPF Filtering : Disabled
> 7991-eth2.1:# Sw Filt. Rules : 3188
> 7991-eth2.1:# Hw Filt. Rules : 0
> 7993-eth2.7:BPF Filtering : Disabled
> 7993-eth2.7:# Sw Filt. Rules : 2248
> 7993-eth2.7:# Hw Filt. Rules : 0
> 7995-eth2.4:BPF Filtering : Disabled
> 7995-eth2.4:# Sw Filt. Rules : 1102
> 7995-eth2.4:# Hw Filt. Rules : 0
> 7997-eth2.8:BPF Filtering : Disabled
> 7997-eth2.8:# Sw Filt. Rules : 1563
> 7997-eth2.8:# Hw Filt. Rules : 0
> 7999-eth2.3:BPF Filtering : Disabled
> 7999-eth2.3:# Sw Filt. Rules : 1344
> 7999-eth2.3:# Hw Filt. Rules : 0
> 8001-eth2.6:BPF Filtering : Disabled
> 8001-eth2.6:# Sw Filt. Rules : 1306
> 8001-eth2.6:# Hw Filt. Rules : 0
> 8003-eth2.5:BPF Filtering : Disabled
> 8003-eth2.5:# Sw Filt. Rules : 1245
> 8003-eth2.5:# Hw Filt. Rules : 0
>
> I'd expect having "Hw filt rules" greater than 0. Or maybe it doesn't work that way
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


40312 at studenti

Mar 18, 2012, 6:27 AM

Post #3 of 7 (457 views)
Permalink
Re: PF_RING hardware filter with snort [In reply to]
On Sun, Mar 18, 2012 at 1:47 PM, Luca Deri <deri [at] ntop> wrote:

> How do you set filters?
>
> Luca
>
> Sent from my iPad (sorry for typos)
>

I don't directly set filters, I expected the pfring DAQ to set them
automagically instead of using sw. filters.

I was led into thinking this by this blog post ,
http://www.ntop.org/pf_ring/exploiting-hardware-filtering-in-pf_ring-aware-apps-snort/,
but maybe I misunderstood.


cardigliano at ntop

Mar 18, 2012, 6:33 AM

Post #4 of 7 (458 views)
Permalink
Re: PF_RING hardware filter with snort [In reply to]
Alessandro
actually the PF_RING-aware ixgbe driver does not support hw filters, it is only available with DNA/TNAPI drivers.

Alfredo

On Mar 18, 2012, at 2:27 PM, Alessandro Guido wrote:

> On Sun, Mar 18, 2012 at 1:47 PM, Luca Deri <deri [at] ntop> wrote:
> How do you set filters?
>
> Luca
>
> Sent from my iPad (sorry for typos)
>
> I don't directly set filters, I expected the pfring DAQ to set them automagically instead of using sw. filters.
>
> I was led into thinking this by this blog post ,http://www.ntop.org/pf_ring/exploiting-hardware-filtering-in-pf_ring-aware-apps-snort/, but maybe I misunderstood.
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


40312 at studenti

Mar 18, 2012, 6:36 AM

Post #5 of 7 (454 views)
Permalink
Re: PF_RING hardware filter with snort [In reply to]
On Sun, Mar 18, 2012 at 2:33 PM, Alfredo Cardigliano
<cardigliano [at] ntop>wrote:

> Alessandro
> actually the PF_RING-aware ixgbe driver does not support hw filters, it is
> only available with DNA/TNAPI drivers.
>

is it possible to cluster snort with dna?


cardigliano at ntop

Mar 18, 2012, 6:46 AM

Post #6 of 7 (458 views)
Permalink
Re: PF_RING hardware filter with snort [In reply to]
On Mar 18, 2012, at 2:36 PM, Alessandro Guido wrote:

> On Sun, Mar 18, 2012 at 2:33 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
> Alessandro
> actually the PF_RING-aware ixgbe driver does not support hw filters, it is only available with DNA/TNAPI drivers.
>
> is it possible to cluster snort with dna?

Not yet, we are developing a library for balancing traffic in zero-copy fashion across threads (this is almost complete) and applications (e.g. snort instances). I'm confident it will be available later this spring.

Alfredo

> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


40312 at studenti

Mar 18, 2012, 6:48 AM

Post #7 of 7 (461 views)
Permalink
Re: PF_RING hardware filter with snort [In reply to]
On Sun, Mar 18, 2012 at 2:46 PM, Alfredo Cardigliano
<cardigliano [at] ntop>wrote:

>
> On Mar 18, 2012, at 2:36 PM, Alessandro Guido wrote:
>
> On Sun, Mar 18, 2012 at 2:33 PM, Alfredo Cardigliano <cardigliano [at] ntop
> > wrote:
>
>> Alessandro
>> actually the PF_RING-aware ixgbe driver does not support hw filters, it
>> is only available with DNA/TNAPI drivers.
>>
>
> is it possible to cluster snort with dna?
>
>
> Not yet, we are developing a library for balancing traffic in zero-copy
> fashion across threads (this is almost complete) and applications (e.g.
> snort instances). I'm confident it will be available later this spring.
>
>
I need clustering so I'll stick to using software filters, however that's a
great news to hear.

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.