Many thanks for your tip. Unfortunately, I had already set my bucket_len to 1600 when I came across this problem. As a matter of fact, I only run into trouble when testing libnids (I tested version 1.21 and 1.19 with the same results). When testing other applications linked to the PF_RING enabled libpcap-0.9.4, they all behave well. Based on my observation so far, I suspect there is probably a data alignment problem within the interface between libnids and libpcap. As I mentioned earlier, libnids-1.21 and libnids-1.19 both behaved well with PF_RING enabled libpcap-0.8.1. And libnids works with libpcap-0.9.4 without PF_RING.
/Myron
On 11/11/06,
Tiago Macambira <[EMAIL PROTECTED]> wrote:
On 11/11/06, Myron Cheung <[EMAIL PROTECTED]> wrote:
> (...)
>
> But when I test libnids-1.21 with PF_RING libpcap-0.9.4, things begin to
> break. First of all, there are a lot of syslog messages complaining about
> "invalid tcp headers"; and secondly, no TCP traffic data has been captured.
>
> (...)
It may sound obvious but have you configured PF_RING to capture whole
packets? libnids _must_ receive complete packets in order to be able
to do TCP reassambly and PF_RING does _not_ capture full packets by
default. Setting bucket_len to 1600 bytes show do the trick...
[]s
Tiago Alves Macambira
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
