Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

PF_RING and filter rules

 

 

NTop misc RSS feed   Index | Next | Previous | View Threaded


peter.bates at ucl

Jul 9, 2012, 3:57 AM

Post #1 of 7 (742 views)
Permalink
PF_RING and filter rules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all...

Just a quick question.

I'm running 5 apps under PF_RING.

1 is unclustered and uses a BPF expression, and the proc output says:

BPF Filtering : Enabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0

The other 4 instances are the same application (Snort) and the same
cluster-id with a BPF expression but show:

BPF Filtering : Enabled
# Sw Filt. Rules : 17176
# Hw Filt. Rules : 0

BPF Filtering : Enabled
# Sw Filt. Rules : 16305
# Hw Filt. Rules : 0

Why is the first application '0' even though it has a (software) BPF
expression, and the others are differing numbers?

Thanks.

- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP+rkDAAoJELhVoVpEMS6RcN8H/AyaCO4LNJdUM7wGqsfwsnT1
hDfkeoeRtmodWKpLRqF3sxQPDiZVcOZ5OJU3oAUqQSvRxYlgKy+knM3k198MbNqH
x6+tJUzUyMdS+yQCIK5DNrAMTHzFf/P4db3eAUoJGANntx51cNRzdHQqGV1Vhp40
VKA4m5y96yTlfJtNLK1MmuRzqJHlwfi8usw5JiHo6yUmGhGqtLEseC4dKlHV06Gq
EsZIGIqMnsKpY/3joU10mutaT4CblJdhqDkSARJeACKRuBB7FLgQvQ60hAON8uuq
e/woh2J9vks41UxXMmVRhfqGsxePkctsNDfmY9nBcE/o0qlWnfnYUbNiBG34qLw=
=SOEV
-----END PGP SIGNATURE-----

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

Jul 11, 2012, 2:46 AM

Post #2 of 7 (673 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Peter
the BPF filter is not counted as "Sw Filt. Rules" (this only includes wildcard and hash rules)

Regards
Alfredo

On Jul 9, 2012, at 12:57 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all...
>
> Just a quick question.
>
> I'm running 5 apps under PF_RING.
>
> 1 is unclustered and uses a BPF expression, and the proc output says:
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 0
> # Hw Filt. Rules : 0
>
> The other 4 instances are the same application (Snort) and the same
> cluster-id with a BPF expression but show:
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 17176
> # Hw Filt. Rules : 0
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 16305
> # Hw Filt. Rules : 0
>
> Why is the first application '0' even though it has a (software) BPF
> expression, and the others are differing numbers?
>
> Thanks.
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP+rkDAAoJELhVoVpEMS6RcN8H/AyaCO4LNJdUM7wGqsfwsnT1
> hDfkeoeRtmodWKpLRqF3sxQPDiZVcOZ5OJU3oAUqQSvRxYlgKy+knM3k198MbNqH
> x6+tJUzUyMdS+yQCIK5DNrAMTHzFf/P4db3eAUoJGANntx51cNRzdHQqGV1Vhp40
> VKA4m5y96yTlfJtNLK1MmuRzqJHlwfi8usw5JiHo6yUmGhGqtLEseC4dKlHV06Gq
> EsZIGIqMnsKpY/3joU10mutaT4CblJdhqDkSARJeACKRuBB7FLgQvQ60hAON8uuq
> e/woh2J9vks41UxXMmVRhfqGsxePkctsNDfmY9nBcE/o0qlWnfnYUbNiBG34qLw=
> =SOEV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


peter.bates at ucl

Jul 11, 2012, 3:39 AM

Post #3 of 7 (676 views)
Permalink
Re: PF_RING and filter rules [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello again all

On 11/07/2012 10:46, Alfredo Cardigliano wrote:
> the BPF filter is not counted as "Sw Filt. Rules" (this only
> includes wildcard and hash rules)

> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
> Rules : 0

Okay, so what are the 17176 rules listed?
Is this the action of the clustering hashing the packets to the
different instances?

- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
=RwA7
-----END PGP SIGNATURE-----

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

Jul 11, 2012, 3:52 AM

Post #4 of 7 (699 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Peter
the rules listed are kernel hash filters added by the DAQ module (you can disable them with --daq-var no-kernel-filters)
every time snort emits a verdict, in order to reduce the amount of traffic it has to analyze.
Those rules are automatically removed when idle for more than 5 minutes (you can change the default with --daq-var kernel-filters-idle-timeout=<seconds>)

Regards
Alfredo

On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello again all
>
> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
>> the BPF filter is not counted as "Sw Filt. Rules" (this only
>> includes wildcard and hash rules)
>
>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
>> Rules : 0
>
> Okay, so what are the 17176 rules listed?
> Is this the action of the clustering hashing the packets to the
> different instances?
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
> =RwA7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


jovimon at gmail

Jun 26, 2015, 4:17 AM

Post #5 of 7 (25 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Excuse me for reviving this thread.

I've been using Snort's DAQ module variable no-kernel-filters for a long
time, but recently switched to pfring_zc and got this error:

FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012

Why isn't this variable present on the ZC driver ? Am I missing something ?

Thanks,

Jose Vila.

On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <cardigliano [at] ntop>
wrote:

> Peter
> the rules listed are kernel hash filters added by the DAQ module (you can
> disable them with --daq-var no-kernel-filters)
> every time snort emits a verdict, in order to reduce the amount of traffic
> it has to analyze.
> Those rules are automatically removed when idle for more than 5 minutes
> (you can change the default with --daq-var
> kernel-filters-idle-timeout=<seconds>)
>
> Regards
> Alfredo
>
> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Hello again all
> >
> > On 11/07/2012 10:46, Alfredo Cardigliano wrote:
> >> the BPF filter is not counted as "Sw Filt. Rules" (this only
> >> includes wildcard and hash rules)
> >
> >> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
> >> Rules : 0
> >
> > Okay, so what are the 17176 rules listed?
> > Is this the action of the clustering hashing the packets to the
> > different instances?
> >
> > - --
> > Peter Bates
> > Senior Computer Security Officer Phone: +44(0)2076792049
> > Information Services Division Internal Ext: 32049
> > University College London
> > London WC1E 6BT
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
> > sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
> > FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
> > mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
> > uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
> > 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
> > =RwA7
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Ntop-misc mailing list
> > Ntop-misc [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>


cardigliano at ntop

Jun 26, 2015, 6:29 AM

Post #6 of 7 (25 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Hi Jose
since kernel is bypassed with ZC, it is not possible to set kernel filters at all, thus no-kernel-filters is not needed.

Best Regards
Alfredo

> On 26 Jun 2015, at 04:17, Jose Vila <jovimon [at] gmail> wrote:
>
> Excuse me for reviving this thread.
>
> I've been using Snort's DAQ module variable no-kernel-filters for a long
> time, but recently switched to pfring_zc and got this error:
>
> FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
> pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012
>
> Why isn't this variable present on the ZC driver ? Am I missing something ?
>
> Thanks,
>
> Jose Vila.
>
> On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <cardigliano [at] ntop>
> wrote:
>
>> Peter
>> the rules listed are kernel hash filters added by the DAQ module (you can
>> disable them with --daq-var no-kernel-filters)
>> every time snort emits a verdict, in order to reduce the amount of traffic
>> it has to analyze.
>> Those rules are automatically removed when idle for more than 5 minutes
>> (you can change the default with --daq-var
>> kernel-filters-idle-timeout=<seconds>)
>>
>> Regards
>> Alfredo
>>
>> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>> Hello again all
>>>
>>> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
>>>> the BPF filter is not counted as "Sw Filt. Rules" (this only
>>>> includes wildcard and hash rules)
>>>
>>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
>>>> Rules : 0
>>>
>>> Okay, so what are the 17176 rules listed?
>>> Is this the action of the clustering hashing the packets to the
>>> different instances?
>>>
>>> - --
>>> Peter Bates
>>> Senior Computer Security Officer Phone: +44(0)2076792049
>>> Information Services Division Internal Ext: 32049
>>> University College London
>>> London WC1E 6BT
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.17 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
>>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
>>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
>>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
>>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
>>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
>>> =RwA7
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Attachments: signature.asc (0.82 KB)


jovimon at gmail

Jun 29, 2015, 1:16 AM

Post #7 of 7 (20 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Hello Alfredo,
Thank you very much for the explanation.
Regards,
Jose.

On Fri, Jun 26, 2015 at 3:29 PM, Alfredo Cardigliano <cardigliano [at] ntop>
wrote:

> Hi Jose
> since kernel is bypassed with ZC, it is not possible to set kernel filters
> at all, thus no-kernel-filters is not needed.
>
> Best Regards
> Alfredo
>
> > On 26 Jun 2015, at 04:17, Jose Vila <jovimon [at] gmail> wrote:
> >
> > Excuse me for reviving this thread.
> >
> > I've been using Snort's DAQ module variable no-kernel-filters for a long
> > time, but recently switched to pfring_zc and got this error:
> >
> > FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
> > pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012
> >
> > Why isn't this variable present on the ZC driver ? Am I missing
> something ?
> >
> > Thanks,
> >
> > Jose Vila.
> >
> > On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <
> cardigliano [at] ntop>
> > wrote:
> >
> >> Peter
> >> the rules listed are kernel hash filters added by the DAQ module (you
> can
> >> disable them with --daq-var no-kernel-filters)
> >> every time snort emits a verdict, in order to reduce the amount of
> traffic
> >> it has to analyze.
> >> Those rules are automatically removed when idle for more than 5 minutes
> >> (you can change the default with --daq-var
> >> kernel-filters-idle-timeout=<seconds>)
> >>
> >> Regards
> >> Alfredo
> >>
> >> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>>
> >>> Hello again all
> >>>
> >>> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
> >>>> the BPF filter is not counted as "Sw Filt. Rules" (this only
> >>>> includes wildcard and hash rules)
> >>>
> >>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
> >>>> Rules : 0
> >>>
> >>> Okay, so what are the 17176 rules listed?
> >>> Is this the action of the clustering hashing the packets to the
> >>> different instances?
> >>>
> >>> - --
> >>> Peter Bates
> >>> Senior Computer Security Officer Phone: +44(0)2076792049
> >>> Information Services Division Internal Ext: 32049
> >>> University College London
> >>> London WC1E 6BT
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v2.0.17 (MingW32)
> >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >>>
> >>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
> >>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
> >>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
> >>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
> >>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
> >>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
> >>> =RwA7
> >>> -----END PGP SIGNATURE-----
> >>>
> >>> _______________________________________________
> >>> Ntop-misc mailing list
> >>> Ntop-misc [at] listgateway
> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> >>
> >> _______________________________________________
> >> Ntop-misc mailing list
> >> Ntop-misc [at] listgateway
> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> >>
> > _______________________________________________
> > Ntop-misc mailing list
> > Ntop-misc [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.