Mailing List Archive: NTop: Misc

PF_RING clustering not working?

Index | Next | Previous | View Threaded

40312 at studenti

Mar 19, 2012, 12:30 AM

Post #1 of 4 (412 views)
Permalink

PF_RING clustering not working?

I'm testing the snort DAQ with cluster_mode_per_flow_2_tuple, however it
doesn't seem to work here.

I've got several snort instances belonging to the same cluster:

/proc/net/pf_ring# grep -i cluster *
26060-eth2.8:Cluster Id : 1
26063-eth2.7:Cluster Id : 1
26066-eth2.9:Cluster Id : 1
26069-eth2.3:Cluster Id : 1
26072-eth2.1:Cluster Id : 1
26075-eth2.6:Cluster Id : 1
26078-eth2.5:Cluster Id : 1
26081-eth2.4:Cluster Id : 1
26084-eth2.10:Cluster Id : 1
26087-eth2.2:Cluster Id : 1

however looking at my instances logs I get:

Instance #8
08/barnyard:03/19-08:18:45.180915 [**] [1:8375:5] WEB-ACTIVEX QuickTime
Object ActiveX clsid access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 213.52.252.143:80 -> $IP:1211

Instance #9
09/barnyard:03/19-05:56:59.436261 [**] [1:8375:5] WEB-ACTIVEX QuickTime
Object ActiveX clsid access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 213.52.252.143:80 -> $IP:1353

Where $IP is the same value. Now, I thought that 2_tuple clustering should
have put all that traffic on the same instance, shouldn't it?

deri at ntop

Mar 21, 2012, 1:01 PM

Post #2 of 4 (392 views)
Permalink

Re: PF_RING clustering not working? [In reply to]

Alessandro
Many users are using the DAQ module like you do. Can you explain how you did you experiments and why you believe you are using the 2 tuple?

Luca

Sent from my iPad (sorry for typos)

On 19/mar/2012, at 08:30, Alessandro Guido <40312 [at] studenti> wrote:

> I'm testing the snort DAQ with cluster_mode_per_flow_2_tuple, however it doesn't seem to work here.
>
> I've got several snort instances belonging to the same cluster:
>
> /proc/net/pf_ring# grep -i cluster *
> 26060-eth2.8:Cluster Id : 1
> 26063-eth2.7:Cluster Id : 1
> 26066-eth2.9:Cluster Id : 1
> 26069-eth2.3:Cluster Id : 1
> 26072-eth2.1:Cluster Id : 1
> 26075-eth2.6:Cluster Id : 1
> 26078-eth2.5:Cluster Id : 1
> 26081-eth2.4:Cluster Id : 1
> 26084-eth2.10:Cluster Id : 1
> 26087-eth2.2:Cluster Id : 1
>
>
> however looking at my instances logs I get:
>
> Instance #8
> 08/barnyard:03/19-08:18:45.180915 [**] [1:8375:5] WEB-ACTIVEX QuickTime Object ActiveX clsid access [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.52.252.143:80 -> $IP:1211
>
> Instance #9
> 09/barnyard:03/19-05:56:59.436261 [**] [1:8375:5] WEB-ACTIVEX QuickTime Object ActiveX clsid access [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.52.252.143:80 -> $IP:1353
>
> Where $IP is the same value. Now, I thought that 2_tuple clustering should have put all that traffic on the same instance, shouldn't it?
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

40312 at studenti

Mar 21, 2012, 1:06 PM

Post #3 of 4 (395 views)
Permalink

Re: PF_RING clustering not working? [In reply to]

I've patched daq_pfring.c like this:

if(context->clusterid > 0) {
- pfring_rc = pfring_set_cluster(ring_handle, context->clusterid,
cluster_per_flow);
+ pfring_rc = pfring_set_cluster(ring_handle, context->clusterid,
cluster_per_flow_2_tuple);

if(pfring_rc != 0) {

40312 at studenti

Mar 21, 2012, 1:16 PM

Post #4 of 4 (389 views)
Permalink

Re: PF_RING clustering not working? [In reply to]

Maybe I've taken results from different runs of my experiments, please
ignore me for now.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads