I have now compiled tcpdump using PF_RING, so I have 2 copies on the
server, one not using PF_RING and one that does use it.
I see the version that does not use PF_RING grabs emails (smtp packets)
normally with some data loss.
The PF_RING enabled version grabs all packets (not lost packets) but the
data appears to be scrambled.
It looks to me that the PF_RING is corrupting the packet data.
PBW.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS,
Paul
Sent: Mittwoch, 6. Dezember 2006 15:04
To: [email protected]
Subject: [Ntop-misc] PF_RING: 67% of packets lost [Kernel
2.6.18.3]
Hi,
Has anyone seen this PF_RING problem before?
I have recently compiled a 2.6.18.3 Kernel with PF_RING patch
(source from 26.11.2006) on a Sun X2100 server.
I then compiled the various libraries and our smtp sniffing app.
When I try to capture data I see that most of the packets are
lost (example below)
Configure with:
insmod ring.ko bucket_len=9000 num_slots=9000 sample_rate=3
transparent_mode=1
INFO
Version : 3.2.1
Bucket length : 9000 bytes
Ring slots : 9000
Sample rate : 3 [1=no sampling]
Capture TX : No [RX only]
Total rings : 1
0
Bound Device : eth0
Version : 6
Sampling Rate : 0
Cluster Id : 0
Tot Slots : 465
Slot Len : 9018
Data Len : 9000
Tot Memory : 4194304
Tot Packets : 860309
Tot Pkt Lost : 574371
Tot Insert : 285938
Tot Read : 285478
Note: I have tried various configurations, including values that
have worked on other machines. This just happens to be the current
setting whilst writing this email.
From the figures in the log '0' you can see that appr 67% of
packets are lost.
All i seem to get are the beginings of the occational email
header.
If I set the bucket_len & num_slots to 0 (therefore not using
PF_RING) ...
Configure with:
insmod ring.ko bucket_len=0 num_slots=0
INFO
Version : 3.2.1
Bucket length : 0 bytes
Ring slots : 0
Sample rate : 1 [1=no sampling]
Capture TX : No [RX only]
Total rings : 0
No ring log
I do capture emails (smtp packets).
But, ofcourse data is lost, hence the need of the PF_RING.
On previous machines
PC PII 400Mhz (kernel 2.6.17)
Sun v20z 1.8Ghz (kernel 2.6.9)
The PF_RING patch was installed and capture performance
improvements were seen.
Has anyone see a similar problem?
And, more importantly (well for me) has anyone got any ideas
what might be causing this/how to fix this?
Cheers,
PBW.
------------------------------------------------------------------------
------------------
Software:
Kernel: 2.6.18.3 + PF_RING patch (from 26.11.2006)
Libpcap: 0.9.4
Libnids: 1.20
Libdnet: 1.11
Hardware:
Server: Sun X2100
CPU: Dual-Core AMD Opteron(tm) Processor 1214 (cpu
MHz: 2211.419)
RAM: 2Gb
Hdrive: SATA 250GB
NetCard: Intel 1000e (NAPI enabled in Kernel)
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
