Will, I recently had this same trouble with pf_ring snaplen. The API function does not work properly if you didn't set the correct "bucket_len" arg when you load the ring module . The default BUCKET_LEN value is set to 96 or 128 bytes , probably for capture optimization
so, to correct this strange issue, try it: rmmod ring insmod path_to_ring/ring.ko bucket_len=1600 and restart your apps , it will be OK regards, Diogo Sato www.predialnet.com.br PredialNet Wireless ISP ----- Mensagem Original ----- De: Will Metcalf <[EMAIL PROTECTED]> Para: [email protected] Data: Monday, 28 De July De 2008 18:18 Assunto: [Ntop-dev] strange issue with latest pf_ring > I'm having a weird issue with the latest pf_ring that allows user > specified snaplen/caplen to tell pf_ring what the bucket length should > be. Everything works fine until I restart one of the apps argus which > has a smaller snaplen than snort and daemonlogger both with a snaplen > of 1515. Once I do this both deamonlogger and snort start to only > capture 96 bytes of traffic that is specified as the argus snaplen. > If I change the argus snaplen to to 1515 everything is fine, but I > don't want to do that as the boxes are overtaxed as it is, and I need > to roll the argus files via cron daily.... > > Regards, > > Will > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev > _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
