Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

'Transparent mode: no' in /proc/net/pf_ring/info

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


mlist at woifi

May 8, 2012, 1:59 AM

Post #1 of 11 (860 views)
Permalink
'Transparent mode: no' in /proc/net/pf_ring/info
Hi,

I am currently playing around with PR_RING (and snort). When loading the pf_ring module with option transparent_mode=2, I see packages in tcpdump and /proc/net/pf_ring/info tells me that transparent mode is somehow not enabled:

# cat /proc/net/pf_ring/info
PF_RING Version : 5.3.0 ($Revision: exported$)
Ring slots : 4096
Slot version : 13
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : No (mode 2)
Total rings : 0
Total plugins : 0

dmesg tells me that transparent mode is set to 2:

[PF_RING] Welcome to PF_RING 5.3.0 ($Revision: exported$)
(C) 2004-11 L.Deri <deri [at] ntop>
[PF_RING] registered /proc/net/pf_ring/
NET: Registered protocol family 27
[PF_RING] Min # ring slots 4096
[PF_RING] Slot version 13
[PF_RING] Capture TX No [RX only]
[PF_RING] Transparent Mode 2
[PF_RING] IP Defragment No
[PF_RING] Initialized correctly

Is this behaviour correct? I am using Centos 6.2 x64 with PF_RING 5.3.0 (also 5.2.1 has the same issue), my NICs are the following:

13:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)

Thanks,

Wolfgang
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 8, 2012, 2:03 AM

Post #2 of 11 (820 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
I think "transparent" in this case means being passed to the kernel
after PF_RING has seen it. Thus "transparent_mode=2" means it isn't
transparent. I'll admit it's a bit confusing though :)

You can check by trying a non-PF-RING-enabled tcpdump which shouldn't
see anything!

Best Wishes,
Chris

On 08/05/12 09:59, Wolfgang Neudorfer wrote:
> Hi,
>
> I am currently playing around with PR_RING (and snort). When loading the pf_ring module with option transparent_mode=2, I see packages in tcpdump and /proc/net/pf_ring/info tells me that transparent mode is somehow not enabled:
>
> # cat /proc/net/pf_ring/info
> PF_RING Version : 5.3.0 ($Revision: exported$)
> Ring slots : 4096
> Slot version : 13
> Capture TX : No [RX only]
> IP Defragment : No
> Socket Mode : Standard
> Transparent mode : No (mode 2)
> Total rings : 0
> Total plugins : 0
>
> dmesg tells me that transparent mode is set to 2:
>
> [PF_RING] Welcome to PF_RING 5.3.0 ($Revision: exported$)
> (C) 2004-11 L.Deri <deri [at] ntop>
> [PF_RING] registered /proc/net/pf_ring/
> NET: Registered protocol family 27
> [PF_RING] Min # ring slots 4096
> [PF_RING] Slot version 13
> [PF_RING] Capture TX No [RX only]
> [PF_RING] Transparent Mode 2
> [PF_RING] IP Defragment No
> [PF_RING] Initialized correctly
>
> Is this behaviour correct? I am using Centos 6.2 x64 with PF_RING 5.3.0 (also 5.2.1 has the same issue), my NICs are the following:
>
> 13:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
>
> Thanks,
>
> Wolfgang
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


mlist at woifi

May 8, 2012, 2:17 AM

Post #3 of 11 (820 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
Chris,

thanks for your fast answer. A non PF_RING aware tcpdump is able to see traffic when snort is not running. I guess this should not be the case, right?

Best regards,

Wolfgang


----- Original Message -----
From: "Chris Wakelin" <c.d.wakelin [at] reading>
To: ntop-misc [at] listgateway
Sent: Tuesday, 8 May, 2012 11:03:12 AM
Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info

I think "transparent" in this case means being passed to the kernel
after PF_RING has seen it. Thus "transparent_mode=2" means it isn't
transparent. I'll admit it's a bit confusing though :)

You can check by trying a non-PF-RING-enabled tcpdump which shouldn't
see anything!

Best Wishes,
Chris

On 08/05/12 09:59, Wolfgang Neudorfer wrote:
> Hi,
>
> I am currently playing around with PR_RING (and snort). When loading the pf_ring module with option transparent_mode=2, I see packages in tcpdump and /proc/net/pf_ring/info tells me that transparent mode is somehow not enabled:
>
> # cat /proc/net/pf_ring/info
> PF_RING Version : 5.3.0 ($Revision: exported$)
> Ring slots : 4096
> Slot version : 13
> Capture TX : No [RX only]
> IP Defragment : No
> Socket Mode : Standard
> Transparent mode : No (mode 2)
> Total rings : 0
> Total plugins : 0
>
> dmesg tells me that transparent mode is set to 2:
>
> [PF_RING] Welcome to PF_RING 5.3.0 ($Revision: exported$)
> (C) 2004-11 L.Deri <deri [at] ntop>
> [PF_RING] registered /proc/net/pf_ring/
> NET: Registered protocol family 27
> [PF_RING] Min # ring slots 4096
> [PF_RING] Slot version 13
> [PF_RING] Capture TX No [RX only]
> [PF_RING] Transparent Mode 2
> [PF_RING] IP Defragment No
> [PF_RING] Initialized correctly
>
> Is this behaviour correct? I am using Centos 6.2 x64 with PF_RING 5.3.0 (also 5.2.1 has the same issue), my NICs are the following:
>
> 13:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
>
> Thanks,
>
> Wolfgang
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 8, 2012, 2:39 AM

Post #4 of 11 (823 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
Wolfgang,
if you use transparent_mode != 0 then you need to use PF_RING-aware drivers.

Luca

On May 8, 2012, at 11:17 AM, Wolfgang Neudorfer wrote:

> Chris,
>
> thanks for your fast answer. A non PF_RING aware tcpdump is able to see traffic when snort is not running. I guess this should not be the case, right?
>
> Best regards,
>
> Wolfgang
>
>
> ----- Original Message -----
> From: "Chris Wakelin" <c.d.wakelin [at] reading>
> To: ntop-misc [at] listgateway
> Sent: Tuesday, 8 May, 2012 11:03:12 AM
> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>
> I think "transparent" in this case means being passed to the kernel
> after PF_RING has seen it. Thus "transparent_mode=2" means it isn't
> transparent. I'll admit it's a bit confusing though :)
>
> You can check by trying a non-PF-RING-enabled tcpdump which shouldn't
> see anything!
>
> Best Wishes,
> Chris
>
> On 08/05/12 09:59, Wolfgang Neudorfer wrote:
>> Hi,
>>
>> I am currently playing around with PR_RING (and snort). When loading the pf_ring module with option transparent_mode=2, I see packages in tcpdump and /proc/net/pf_ring/info tells me that transparent mode is somehow not enabled:
>>
>> # cat /proc/net/pf_ring/info
>> PF_RING Version : 5.3.0 ($Revision: exported$)
>> Ring slots : 4096
>> Slot version : 13
>> Capture TX : No [RX only]
>> IP Defragment : No
>> Socket Mode : Standard
>> Transparent mode : No (mode 2)
>> Total rings : 0
>> Total plugins : 0
>>
>> dmesg tells me that transparent mode is set to 2:
>>
>> [PF_RING] Welcome to PF_RING 5.3.0 ($Revision: exported$)
>> (C) 2004-11 L.Deri <deri [at] ntop>
>> [PF_RING] registered /proc/net/pf_ring/
>> NET: Registered protocol family 27
>> [PF_RING] Min # ring slots 4096
>> [PF_RING] Slot version 13
>> [PF_RING] Capture TX No [RX only]
>> [PF_RING] Transparent Mode 2
>> [PF_RING] IP Defragment No
>> [PF_RING] Initialized correctly
>>
>> Is this behaviour correct? I am using Centos 6.2 x64 with PF_RING 5.3.0 (also 5.2.1 has the same issue), my NICs are the following:
>>
>> 13:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
>>
>> Thanks,
>>
>> Wolfgang
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 8, 2012, 2:39 AM

Post #5 of 11 (826 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
On 08/05/12 10:17, Wolfgang Neudorfer wrote:
> Chris,
>
> thanks for your fast answer. A non PF_RING aware tcpdump is able to see traffic when snort is not running. I guess this should not be the case, right?

Right! Are you sure you have a PF_RING-enabled driver? I think you need
the e1000e driver from the PF_RING distribution. What does "ethtool -i
<interface>" say?

Be careful not to use transparent_mode=2 and a PF_RING-enable driver
used on the same interface as you manage the box or you'll get
disconnected :) We've got non-PF_RING bnx2 for management and e1000e or
ixgbe for the packet capture.

Best Wishes,
Chris

--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


mlist at woifi

May 8, 2012, 3:20 AM

Post #6 of 11 (821 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
Luca,

I am using the PR_RING aware e1000e driver, ethtool says the following:

# ethtool -i eth0
driver: e1000e
version: 1.6.3-NAPI
firmware-version: 5.11-2
bus-info: 0000:13:00.0

This line should say yes, right?

>> Transparent mode : No (mode 2)


Wolfgang

----- Original Message -----
From: "Luca Deri" <deri [at] ntop>
To: ntop-misc [at] listgateway
Sent: Tuesday, 8 May, 2012 11:39:36 AM
Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info

Wolfgang,
if you use transparent_mode != 0 then you need to use PF_RING-aware drivers.

Luca

On May 8, 2012, at 11:17 AM, Wolfgang Neudorfer wrote:

> Chris,
>
> thanks for your fast answer. A non PF_RING aware tcpdump is able to see traffic when snort is not running. I guess this should not be the case, right?
>
> Best regards,
>
> Wolfgang
>
>
> ----- Original Message -----
> From: "Chris Wakelin" <c.d.wakelin [at] reading>
> To: ntop-misc [at] listgateway
> Sent: Tuesday, 8 May, 2012 11:03:12 AM
> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>
> I think "transparent" in this case means being passed to the kernel
> after PF_RING has seen it. Thus "transparent_mode=2" means it isn't
> transparent. I'll admit it's a bit confusing though :)
>
> You can check by trying a non-PF-RING-enabled tcpdump which shouldn't
> see anything!
>
> Best Wishes,
> Chris
>
> On 08/05/12 09:59, Wolfgang Neudorfer wrote:
>> Hi,
>>
>> I am currently playing around with PR_RING (and snort). When loading the pf_ring module with option transparent_mode=2, I see packages in tcpdump and /proc/net/pf_ring/info tells me that transparent mode is somehow not enabled:
>>
>> # cat /proc/net/pf_ring/info
>> PF_RING Version : 5.3.0 ($Revision: exported$)
>> Ring slots : 4096
>> Slot version : 13
>> Capture TX : No [RX only]
>> IP Defragment : No
>> Socket Mode : Standard
>> Transparent mode : No (mode 2)
>> Total rings : 0
>> Total plugins : 0
>>
>> dmesg tells me that transparent mode is set to 2:
>>
>> [PF_RING] Welcome to PF_RING 5.3.0 ($Revision: exported$)
>> (C) 2004-11 L.Deri <deri [at] ntop>
>> [PF_RING] registered /proc/net/pf_ring/
>> NET: Registered protocol family 27
>> [PF_RING] Min # ring slots 4096
>> [PF_RING] Slot version 13
>> [PF_RING] Capture TX No [RX only]
>> [PF_RING] Transparent Mode 2
>> [PF_RING] IP Defragment No
>> [PF_RING] Initialized correctly
>>
>> Is this behaviour correct? I am using Centos 6.2 x64 with PF_RING 5.3.0 (also 5.2.1 has the same issue), my NICs are the following:
>>
>> 13:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
>>
>> Thanks,
>>
>> Wolfgang
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


mlist at woifi

May 8, 2012, 3:21 AM

Post #7 of 11 (822 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
Chris,

I have a bnx2 interface for management as well - thanks for the advice anyway ;)

Wolfgang


----- Original Message -----
From: "Chris Wakelin" <c.d.wakelin [at] reading>
To: ntop-misc [at] listgateway
Sent: Tuesday, 8 May, 2012 11:39:53 AM
Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info

On 08/05/12 10:17, Wolfgang Neudorfer wrote:
> Chris,
>
> thanks for your fast answer. A non PF_RING aware tcpdump is able to see traffic when snort is not running. I guess this should not be the case, right?

Right! Are you sure you have a PF_RING-enabled driver? I think you need
the e1000e driver from the PF_RING distribution. What does "ethtool -i
<interface>" say?

Be careful not to use transparent_mode=2 and a PF_RING-enable driver
used on the same interface as you manage the box or you'll get
disconnected :) We've got non-PF_RING bnx2 for management and e1000e or
ixgbe for the packet capture.

Best Wishes,
Chris

--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 8, 2012, 4:34 AM

Post #8 of 11 (816 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
Wolfgang,
No is correct because you're not transparent to the stack as packets are
sent to PF_RING and not to the Linux stack via NAPI.

Luca

On 05/08/2012 12:20 PM, Wolfgang Neudorfer wrote:
> Luca,
>
> I am using the PR_RING aware e1000e driver, ethtool says the following:
>
> # ethtool -i eth0
> driver: e1000e
> version: 1.6.3-NAPI
> firmware-version: 5.11-2
> bus-info: 0000:13:00.0
>
> This line should say yes, right?
>
>>> Transparent mode : No (mode 2)
>
> Wolfgang
>
> ----- Original Message -----
> From: "Luca Deri"<deri [at] ntop>
> To: ntop-misc [at] listgateway
> Sent: Tuesday, 8 May, 2012 11:39:36 AM
> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>
> Wolfgang,
> if you use transparent_mode != 0 then you need to use PF_RING-aware drivers.
>
> Luca
>
> On May 8, 2012, at 11:17 AM, Wolfgang Neudorfer wrote:
>
>> Chris,
>>
>> thanks for your fast answer. A non PF_RING aware tcpdump is able to see traffic when snort is not running. I guess this should not be the case, right?
>>
>> Best regards,
>>
>> Wolfgang
>>
>>
>> ----- Original Message -----
>> From: "Chris Wakelin"<c.d.wakelin [at] reading>
>> To: ntop-misc [at] listgateway
>> Sent: Tuesday, 8 May, 2012 11:03:12 AM
>> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>>
>> I think "transparent" in this case means being passed to the kernel
>> after PF_RING has seen it. Thus "transparent_mode=2" means it isn't
>> transparent. I'll admit it's a bit confusing though :)
>>
>> You can check by trying a non-PF-RING-enabled tcpdump which shouldn't
>> see anything!
>>
>> Best Wishes,
>> Chris
>>
>> On 08/05/12 09:59, Wolfgang Neudorfer wrote:
>>> Hi,
>>>
>>> I am currently playing around with PR_RING (and snort). When loading the pf_ring module with option transparent_mode=2, I see packages in tcpdump and /proc/net/pf_ring/info tells me that transparent mode is somehow not enabled:
>>>
>>> # cat /proc/net/pf_ring/info
>>> PF_RING Version : 5.3.0 ($Revision: exported$)
>>> Ring slots : 4096
>>> Slot version : 13
>>> Capture TX : No [RX only]
>>> IP Defragment : No
>>> Socket Mode : Standard
>>> Transparent mode : No (mode 2)
>>> Total rings : 0
>>> Total plugins : 0
>>>
>>> dmesg tells me that transparent mode is set to 2:
>>>
>>> [PF_RING] Welcome to PF_RING 5.3.0 ($Revision: exported$)
>>> (C) 2004-11 L.Deri<deri [at] ntop>
>>> [PF_RING] registered /proc/net/pf_ring/
>>> NET: Registered protocol family 27
>>> [PF_RING] Min # ring slots 4096
>>> [PF_RING] Slot version 13
>>> [PF_RING] Capture TX No [RX only]
>>> [PF_RING] Transparent Mode 2
>>> [PF_RING] IP Defragment No
>>> [PF_RING] Initialized correctly
>>>
>>> Is this behaviour correct? I am using Centos 6.2 x64 with PF_RING 5.3.0 (also 5.2.1 has the same issue), my NICs are the following:
>>>
>>> 13:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
>>>
>>> Thanks,
>>>
>>> Wolfgang
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin, c.d.wakelin [at] reading
>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


mlist at woifi

May 8, 2012, 5:26 AM

Post #9 of 11 (815 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
Luca,

thanks for your answer. But why am I able to see traffic with a non PF_RING aware tcpdump?

Can you confirm that PF_RING is working correctly? (I have this question because I think I am not really gaining performance through PF_RING instead using pcap with snort.)

Wolfgang


----- Original Message -----
From: "Luca Deri" <deri [at] ntop>
To: ntop-misc [at] listgateway
Sent: Tuesday, 8 May, 2012 1:34:10 PM
Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info

Wolfgang,
No is correct because you're not transparent to the stack as packets are
sent to PF_RING and not to the Linux stack via NAPI.

Luca

On 05/08/2012 12:20 PM, Wolfgang Neudorfer wrote:
> Luca,
>
> I am using the PR_RING aware e1000e driver, ethtool says the following:
>
> # ethtool -i eth0
> driver: e1000e
> version: 1.6.3-NAPI
> firmware-version: 5.11-2
> bus-info: 0000:13:00.0
>
> This line should say yes, right?
>
>>> Transparent mode : No (mode 2)
>
> Wolfgang
>
> ----- Original Message -----
> From: "Luca Deri"<deri [at] ntop>
> To: ntop-misc [at] listgateway
> Sent: Tuesday, 8 May, 2012 11:39:36 AM
> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>
> Wolfgang,
> if you use transparent_mode != 0 then you need to use PF_RING-aware drivers.
>
> Luca
>
> On May 8, 2012, at 11:17 AM, Wolfgang Neudorfer wrote:
>
>> Chris,
>>
>> thanks for your fast answer. A non PF_RING aware tcpdump is able to see traffic when snort is not running. I guess this should not be the case, right?
>>
>> Best regards,
>>
>> Wolfgang
>>
>>
>> ----- Original Message -----
>> From: "Chris Wakelin"<c.d.wakelin [at] reading>
>> To: ntop-misc [at] listgateway
>> Sent: Tuesday, 8 May, 2012 11:03:12 AM
>> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>>
>> I think "transparent" in this case means being passed to the kernel
>> after PF_RING has seen it. Thus "transparent_mode=2" means it isn't
>> transparent. I'll admit it's a bit confusing though :)
>>
>> You can check by trying a non-PF-RING-enabled tcpdump which shouldn't
>> see anything!
>>
>> Best Wishes,
>> Chris
>>
>> On 08/05/12 09:59, Wolfgang Neudorfer wrote:
>>> Hi,
>>>
>>> I am currently playing around with PR_RING (and snort). When loading the pf_ring module with option transparent_mode=2, I see packages in tcpdump and /proc/net/pf_ring/info tells me that transparent mode is somehow not enabled:
>>>
>>> # cat /proc/net/pf_ring/info
>>> PF_RING Version : 5.3.0 ($Revision: exported$)
>>> Ring slots : 4096
>>> Slot version : 13
>>> Capture TX : No [RX only]
>>> IP Defragment : No
>>> Socket Mode : Standard
>>> Transparent mode : No (mode 2)
>>> Total rings : 0
>>> Total plugins : 0
>>>
>>> dmesg tells me that transparent mode is set to 2:
>>>
>>> [PF_RING] Welcome to PF_RING 5.3.0 ($Revision: exported$)
>>> (C) 2004-11 L.Deri<deri [at] ntop>
>>> [PF_RING] registered /proc/net/pf_ring/
>>> NET: Registered protocol family 27
>>> [PF_RING] Min # ring slots 4096
>>> [PF_RING] Slot version 13
>>> [PF_RING] Capture TX No [RX only]
>>> [PF_RING] Transparent Mode 2
>>> [PF_RING] IP Defragment No
>>> [PF_RING] Initialized correctly
>>>
>>> Is this behaviour correct? I am using Centos 6.2 x64 with PF_RING 5.3.0 (also 5.2.1 has the same issue), my NICs are the following:
>>>
>>> 13:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06)
>>>
>>> Thanks,
>>>
>>> Wolfgang
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin, c.d.wakelin [at] reading
>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 8, 2012, 5:29 AM

Post #10 of 11 (813 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
Possibly silly question, but are you sure your non-PF_RING tcpdump isn't
picking PF_RING's libpcap?

Does pfcount -i <interface> work as expected (pfcount is in the
/userland/examples directory of PF_RING)?

Best Wishes,
Chris

On 08/05/12 13:26, Wolfgang Neudorfer wrote:
> Luca,
>
> thanks for your answer. But why am I able to see traffic with a non PF_RING aware tcpdump?
>
> Can you confirm that PF_RING is working correctly? (I have this question because I think I am not really gaining performance through PF_RING instead using pcap with snort.)
>
> Wolfgang
>
>
> ----- Original Message -----
> From: "Luca Deri" <deri [at] ntop>
> To: ntop-misc [at] listgateway
> Sent: Tuesday, 8 May, 2012 1:34:10 PM
> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>
> Wolfgang,
> No is correct because you're not transparent to the stack as packets are
> sent to PF_RING and not to the Linux stack via NAPI.
>
> Luca
>
> On 05/08/2012 12:20 PM, Wolfgang Neudorfer wrote:
>> Luca,
>>
>> I am using the PR_RING aware e1000e driver, ethtool says the following:
>>
>> # ethtool -i eth0
>> driver: e1000e
>> version: 1.6.3-NAPI
>> firmware-version: 5.11-2
>> bus-info: 0000:13:00.0
>>
>> This line should say yes, right?
>>
>>>> Transparent mode : No (mode 2)
>>
>> Wolfgang
>>
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


mlist at woifi

May 8, 2012, 5:47 AM

Post #11 of 11 (816 views)
Permalink
Re: 'Transparent mode: no' in /proc/net/pf_ring/info [In reply to]
1) Yes, I am pretty sure that my vanilla tcpdump does not use the PF_RING's libpcap. I did no 'make install' in this directory and my /usr/lib64/libpcap.so is a link to /usr/lib64/libpcap.so.1.0.0:

ls -l /usr/lib64/libpcap.so.1.0.0
-rwxr-xr-x. 1 root root 223432 Nov 11 2010 /usr/lib64/libpcap.so.1.0.0

libpcap from PF_RING looks like this:
-rwxr-xr-x 1 root root 453197 May 7 15:57 libpcap.so.1.1.1


2) Yes, pfcount does work as expected.


----- Original Message -----
From: "Chris Wakelin" <c.d.wakelin [at] reading>
To: ntop-misc [at] listgateway
Sent: Tuesday, 8 May, 2012 2:29:56 PM
Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info

Possibly silly question, but are you sure your non-PF_RING tcpdump isn't
picking PF_RING's libpcap?

Does pfcount -i <interface> work as expected (pfcount is in the
/userland/examples directory of PF_RING)?

Best Wishes,
Chris

On 08/05/12 13:26, Wolfgang Neudorfer wrote:
> Luca,
>
> thanks for your answer. But why am I able to see traffic with a non PF_RING aware tcpdump?
>
> Can you confirm that PF_RING is working correctly? (I have this question because I think I am not really gaining performance through PF_RING instead using pcap with snort.)
>
> Wolfgang
>
>
> ----- Original Message -----
> From: "Luca Deri" <deri [at] ntop>
> To: ntop-misc [at] listgateway
> Sent: Tuesday, 8 May, 2012 1:34:10 PM
> Subject: Re: [Ntop-misc] 'Transparent mode: no' in /proc/net/pf_ring/info
>
> Wolfgang,
> No is correct because you're not transparent to the stack as packets are
> sent to PF_RING and not to the Linux stack via NAPI.
>
> Luca
>
> On 05/08/2012 12:20 PM, Wolfgang Neudorfer wrote:
>> Luca,
>>
>> I am using the PR_RING aware e1000e driver, ethtool says the following:
>>
>> # ethtool -i eth0
>> driver: e1000e
>> version: 1.6.3-NAPI
>> firmware-version: 5.11-2
>> bus-info: 0000:13:00.0
>>
>> This line should say yes, right?
>>
>>>> Transparent mode : No (mode 2)
>>
>> Wolfgang
>>
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.