Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

PF_RING libzero and legacy apps

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


c.d.wakelin at reading

May 28, 2012, 10:12 AM

Post #1 of 7 (430 views)
Permalink
PF_RING libzero and legacy apps
I've been looking at the new libzero stuff, but haven't managed to get
it running with Suricata and multiple threads. I'm a bit confused about
how it's supposed to work.

I start the cluster master with:

pfdnacluster_master -i dna0 -c 99 -r 7

Then I start Suricata with "--pfring-int = dnacluster:99" (or equivalent
in suricata.yaml config file).

In multiple threads mode, Suricata will try to set the cluster ID with
pfring_set_cluster, which fails. So I hacked to it to ignore the failure.

With a single thread it works. However with two or more threads it fails
on the second call of pfring_open().

Presumably I don't need to specify "-n 6" on the cluster master - that
would mean six independent applications each getting all the packets,
rather than a single, multithreaded one with each thread getting a
proportion of the packets, right?

I also tried giving Suricata six different interfaces, dnacluster:99@1,
dnacluster:99@2, etc. with one thread each, but that didn't work either.

Do I need to modify Suricata to use libzero (might be beyond me)?

Best Wishes,
Chris

--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

May 28, 2012, 10:23 AM

Post #2 of 7 (412 views)
Permalink
Re: PF_RING libzero and legacy apps [In reply to]
Chris
you do not need to modify Suricata (but please note that pfring_set_cluster() is for vanilla PF_RING only).
"-n 6" means 6 consumers, they can be both threads or applications (if they are threads some optimizations are used, but the behavior is exactly the same).
You can decide whether to deliver a portion of the traffic or all the traffic to the application/thread by setting the distribution function (the default one balances packets according to a bidirectional IP-based hash, see pfdnacluster_master.c for other examples).

Best Regards
Alfredo

On May 28, 2012, at 7:12 PM, Chris Wakelin wrote:

> I've been looking at the new libzero stuff, but haven't managed to get
> it running with Suricata and multiple threads. I'm a bit confused about
> how it's supposed to work.
>
> I start the cluster master with:
>
> pfdnacluster_master -i dna0 -c 99 -r 7
>
> Then I start Suricata with "--pfring-int = dnacluster:99" (or equivalent
> in suricata.yaml config file).
>
> In multiple threads mode, Suricata will try to set the cluster ID with
> pfring_set_cluster, which fails. So I hacked to it to ignore the failure.
>
> With a single thread it works. However with two or more threads it fails
> on the second call of pfring_open().
>
> Presumably I don't need to specify "-n 6" on the cluster master - that
> would mean six independent applications each getting all the packets,
> rather than a single, multithreaded one with each thread getting a
> proportion of the packets, right?
>
> I also tried giving Suricata six different interfaces, dnacluster:99@1,
> dnacluster:99@2, etc. with one thread each, but that didn't work either.
>
> Do I need to modify Suricata to use libzero (might be beyond me)?
>
> Best Wishes,
> Chris
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 28, 2012, 10:30 AM

Post #3 of 7 (423 views)
Permalink
Re: PF_RING libzero and legacy apps [In reply to]
On 28/05/12 18:23, Alfredo Cardigliano wrote:
> Chris
> you do not need to modify Suricata (but please note that pfring_set_cluster() is for vanilla PF_RING only).
> "-n 6" means 6 consumers, they can be both threads or applications (if they are threads some optimizations are used, but the behavior is exactly the same).
> You can decide whether to deliver a portion of the traffic or all the traffic to the application/thread by setting the distribution function (the default one balances packets according to a bidirectional IP-based hash, see pfdnacluster_master.c for other examples).

So in the default config, I'd need "-n 6" and each Suricata thread
should see 1/6th of the traffic? Would I need to tell each thread to
talk to dnacluster:99@0, dnacluster:99@1 etc.?

I was hoping to have multiple multi-threaded applications, with Suricata
being one of them, with each application seeing all the packets. Would I
then need say "-n 12" and change the function to deliver the same
packets to say, 0 and 6, 1 and 7, 2 and 8 etc?

Best Wishes,
Chris

>
> Best Regards
> Alfredo
>
> On May 28, 2012, at 7:12 PM, Chris Wakelin wrote:
>
>> I've been looking at the new libzero stuff, but haven't managed to get
>> it running with Suricata and multiple threads. I'm a bit confused about
>> how it's supposed to work.
>>
>> I start the cluster master with:
>>
>> pfdnacluster_master -i dna0 -c 99 -r 7
>>
>> Then I start Suricata with "--pfring-int = dnacluster:99" (or equivalent
>> in suricata.yaml config file).
>>
>> In multiple threads mode, Suricata will try to set the cluster ID with
>> pfring_set_cluster, which fails. So I hacked to it to ignore the failure.
>>
>> With a single thread it works. However with two or more threads it fails
>> on the second call of pfring_open().
>>
>> Presumably I don't need to specify "-n 6" on the cluster master - that
>> would mean six independent applications each getting all the packets,
>> rather than a single, multithreaded one with each thread getting a
>> proportion of the packets, right?
>>
>> I also tried giving Suricata six different interfaces, dnacluster:99@1,
>> dnacluster:99@2, etc. with one thread each, but that didn't work either.
>>
>> Do I need to modify Suricata to use libzero (might be beyond me)?
>>
>> Best Wishes,
>> Chris
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin, c.d.wakelin [at] reading
>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

May 28, 2012, 10:39 AM

Post #4 of 7 (413 views)
Permalink
Re: PF_RING libzero and legacy apps [In reply to]
On May 28, 2012, at 7:30 PM, Chris Wakelin wrote:

> On 28/05/12 18:23, Alfredo Cardigliano wrote:
>> Chris
>> you do not need to modify Suricata (but please note that pfring_set_cluster() is for vanilla PF_RING only).
>> "-n 6" means 6 consumers, they can be both threads or applications (if they are threads some optimizations are used, but the behavior is exactly the same).
>> You can decide whether to deliver a portion of the traffic or all the traffic to the application/thread by setting the distribution function (the default one balances packets according to a bidirectional IP-based hash, see pfdnacluster_master.c for other examples).
>
> So in the default config, I'd need "-n 6" and each Suricata thread
> should see 1/6th of the traffic? Would I need to tell each thread to
> talk to dnacluster:99@0, dnacluster:99@1 etc.?

You can specify the "consumer id" by using dnacluster:99@0, dnacluster:99@1,
etc. if you need full control in your distribution function, otherwise you can just use
dnacluster:99 from each thread (in this case the id is auto-assigned)

>
> I was hoping to have multiple multi-threaded applications, with Suricata
> being one of them, with each application seeing all the packets. Would I
> then need say "-n 12" and change the function to deliver the same
> packets to say, 0 and 6, 1 and 7, 2 and 8 etc?

Yes, in this case you need to assign the consumer id (dnacluster:X@Y)

Regards
Alfredo

>
> Best Wishes,
> Chris
>
>>
>> Best Regards
>> Alfredo
>>
>> On May 28, 2012, at 7:12 PM, Chris Wakelin wrote:
>>
>>> I've been looking at the new libzero stuff, but haven't managed to get
>>> it running with Suricata and multiple threads. I'm a bit confused about
>>> how it's supposed to work.
>>>
>>> I start the cluster master with:
>>>
>>> pfdnacluster_master -i dna0 -c 99 -r 7
>>>
>>> Then I start Suricata with "--pfring-int = dnacluster:99" (or equivalent
>>> in suricata.yaml config file).
>>>
>>> In multiple threads mode, Suricata will try to set the cluster ID with
>>> pfring_set_cluster, which fails. So I hacked to it to ignore the failure.
>>>
>>> With a single thread it works. However with two or more threads it fails
>>> on the second call of pfring_open().
>>>
>>> Presumably I don't need to specify "-n 6" on the cluster master - that
>>> would mean six independent applications each getting all the packets,
>>> rather than a single, multithreaded one with each thread getting a
>>> proportion of the packets, right?
>>>
>>> I also tried giving Suricata six different interfaces, dnacluster:99@1,
>>> dnacluster:99@2, etc. with one thread each, but that didn't work either.
>>>
>>> Do I need to modify Suricata to use libzero (might be beyond me)?
>>>
>>> Best Wishes,
>>> Chris
>>>
>>> --
>>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>>> Christopher Wakelin, c.d.wakelin [at] reading
>>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 28, 2012, 3:39 PM

Post #5 of 7 (422 views)
Permalink
Re: PF_RING libzero and legacy apps [In reply to]
On 28/05/12 18:39, Alfredo Cardigliano wrote:
>
> On May 28, 2012, at 7:30 PM, Chris Wakelin wrote:
>
>> On 28/05/12 18:23, Alfredo Cardigliano wrote:
>>> Chris
>>> you do not need to modify Suricata (but please note that pfring_set_cluster() is for vanilla PF_RING only).
>>> "-n 6" means 6 consumers, they can be both threads or applications (if they are threads some optimizations are used, but the behavior is exactly the same).
>>> You can decide whether to deliver a portion of the traffic or all the traffic to the application/thread by setting the distribution function (the default one balances packets according to a bidirectional IP-based hash, see pfdnacluster_master.c for other examples).
>>
>> So in the default config, I'd need "-n 6" and each Suricata thread
>> should see 1/6th of the traffic? Would I need to tell each thread to
>> talk to dnacluster:99@0, dnacluster:99@1 etc.?
>
> You can specify the "consumer id" by using dnacluster:99@0, dnacluster:99@1,
> etc. if you need full control in your distribution function, otherwise you can just use
> dnacluster:99 from each thread (in this case the id is auto-assigned)
>

I can't use just "dnacluster:99" or Suricata will try multiple
pfring_open() on it and will fail.

Using dnacluster:99@0 etc. does seem to work, mostly! The only problem
is that most of the timestamps ended up being "0" - which is a problem I
see in the TNAPI driver (and somebody else saw with TNAPI and Snort).

Another minor issue is that Suricata's statistics truncate the interface
name and so missed the "@0"..."@5" at the end, so I couldn't easily
split out what each queue saw.

Best Wishes,
Chris

>>
>> I was hoping to have multiple multi-threaded applications, with Suricata
>> being one of them, with each application seeing all the packets. Would I
>> then need say "-n 12" and change the function to deliver the same
>> packets to say, 0 and 6, 1 and 7, 2 and 8 etc?
>
> Yes, in this case you need to assign the consumer id (dnacluster:X@Y)
>
> Regards
> Alfredo
>
>>
>> Best Wishes,
>> Chris
>>
>>>
>>> Best Regards
>>> Alfredo
>>>
>>> On May 28, 2012, at 7:12 PM, Chris Wakelin wrote:
>>>
>>>> I've been looking at the new libzero stuff, but haven't managed to get
>>>> it running with Suricata and multiple threads. I'm a bit confused about
>>>> how it's supposed to work.
>>>>
>>>> I start the cluster master with:
>>>>
>>>> pfdnacluster_master -i dna0 -c 99 -r 7
>>>>
>>>> Then I start Suricata with "--pfring-int = dnacluster:99" (or equivalent
>>>> in suricata.yaml config file).
>>>>
>>>> In multiple threads mode, Suricata will try to set the cluster ID with
>>>> pfring_set_cluster, which fails. So I hacked to it to ignore the failure.
>>>>
>>>> With a single thread it works. However with two or more threads it fails
>>>> on the second call of pfring_open().
>>>>
>>>> Presumably I don't need to specify "-n 6" on the cluster master - that
>>>> would mean six independent applications each getting all the packets,
>>>> rather than a single, multithreaded one with each thread getting a
>>>> proportion of the packets, right?
>>>>
>>>> I also tried giving Suricata six different interfaces, dnacluster:99@1,
>>>> dnacluster:99@2, etc. with one thread each, but that didn't work either.
>>>>
>>>> Do I need to modify Suricata to use libzero (might be beyond me)?
>>>>
>>>> Best Wishes,
>>>> Chris
>>>>
>>>> --
>>>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>>>> Christopher Wakelin, c.d.wakelin [at] reading
>>>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>>>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc [at] listgateway
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin, c.d.wakelin [at] reading
>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 30, 2012, 3:53 AM

Post #6 of 7 (505 views)
Permalink
Re: PF_RING libzero and legacy apps [In reply to]
On 28/05/12 23:39, Chris Wakelin wrote:

> Using dnacluster:99@0 etc. does seem to work, mostly! The only problem
> is that most of the timestamps ended up being "0" - which is a problem I
> see in the TNAPI driver (and somebody else saw with TNAPI and Snort).

I managed to fix that by copying some lines from
libpcap-1.1.1-ring/pcap-linux.c to Suricata's source-pfring.c:

+ /* Some flavours of PF_RING may fail to set timestamp - see
PF-RING-enabled libpcap code*/
+ hdr.ts.tv_sec = 0;

int r = pfring_recv(ptv->pd, (u_char**)&GET_PKT_DIRECT_DATA(p),
(u_int)GET_PKT_DIRECT_MAX_SIZE(p),
&hdr,
LIBPFRING_WAIT_FOR_INCOMING);

if (r == 1) {

+ /* PF_RING may fail to set timestamp */
+ if (hdr.ts.tv_sec == 0) gettimeofday((struct
timeval*)&hdr.ts, NULL);

Works for TNAPI too!

Is this better than using pfring_recv_parsed() with the "add_timestamp"
flag? (BTW looking at the code in pfring_utils.c, I spotted a
misspelling of the name "analized" - it should be "analysed" for British
English or "analyzed" for American - not that I'm proposing
spell-checking everything :-) )

> Another minor issue is that Suricata's statistics truncate the interface
> name and so missed the "@0"..."@5" at the end, so I couldn't easily
> split out what each queue saw.

Suricata truncates interface names > 15 chars in it's thread-naming, so
choosing a single-digit cluster ID made it fit. It might cause less such
compatibility issues though to have a shorter name for the cluster
interface, say dnacl:X@Y ?

Best Wishes,
Chris

--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

May 30, 2012, 4:05 AM

Post #7 of 7 (418 views)
Permalink
Re: PF_RING libzero and legacy apps [In reply to]
Hi Chris
see inline

On May 30, 2012, at 12:53 PM, Chris Wakelin wrote:

> On 28/05/12 23:39, Chris Wakelin wrote:
>
>> Using dnacluster:99@0 etc. does seem to work, mostly! The only problem
>> is that most of the timestamps ended up being "0" - which is a problem I
>> see in the TNAPI driver (and somebody else saw with TNAPI and Snort).
>
> I managed to fix that by copying some lines from
> libpcap-1.1.1-ring/pcap-linux.c to Suricata's source-pfring.c:
>
> + /* Some flavours of PF_RING may fail to set timestamp - see
> PF-RING-enabled libpcap code*/
> + hdr.ts.tv_sec = 0;
>
> int r = pfring_recv(ptv->pd, (u_char**)&GET_PKT_DIRECT_DATA(p),
> (u_int)GET_PKT_DIRECT_MAX_SIZE(p),
> &hdr,
> LIBPFRING_WAIT_FOR_INCOMING);
>
> if (r == 1) {
>
> + /* PF_RING may fail to set timestamp */
> + if (hdr.ts.tv_sec == 0) gettimeofday((struct
> timeval*)&hdr.ts, NULL);
>
> Works for TNAPI too!
>
> Is this better than using pfring_recv_parsed() with the "add_timestamp"
> flag? (BTW looking at the code in pfring_utils.c, I spotted a
> misspelling of the name "analized" - it should be "analysed" for British
> English or "analyzed" for American - not that I'm proposing
> spell-checking everything :-) )

Thank you :-)
As you probably saw pfring_recv_parsed() with the add_timestamp flag does exactly the same.

>
>> Another minor issue is that Suricata's statistics truncate the interface
>> name and so missed the "@0"..."@5" at the end, so I couldn't easily
>> split out what each queue saw.
>
> Suricata truncates interface names > 15 chars in it's thread-naming, so
> choosing a single-digit cluster ID made it fit. It might cause less such
> compatibility issues though to have a shorter name for the cluster
> interface, say dnacl:X@Y ?

Ok, we will definitely consider this.

Best Regards
Alfredo

>
> Best Wishes,
> Chris
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin [at] reading
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.