Hi Luca! the exact setup is: - br0 bridging eth0 with eth1 - igb 2.0.6, and PF_RING 4.2.0 - pfcount -i eth0
When Trasnsparent=0, both pfcount -i eth0 -e 1 and pfcount -i eth0 -e 2 show traffic. When Transparent=1, "-e 1" shows traffic, but "-e 2" shows 0 packets. No other captures (or snorts) are running at the time this tests are made. Can this be worked around? Thanks! El 30/04/2010 01:42 p.m., Luca Deri escribió: > Tomás > transparent means that packets are sent to both pf_ring and the kernel. This > has nothing to do with TX (I think that TX means the packet transmitted by > the host on which you run pf_ring) beside the fact that if you set > transparent=0 your interface on which pf_ring listens will not be visible . > Make a simple test, with a few packets, without snort, so that you don't mix > too many things at one time > > Luca > > > On Apr 28, 2010, at 5:06 PM, Tomás Heredia wrote: > > >> Hi! >> Kinda found something: if using transparent mode 0 in the pf_ring module, >> both directions are being captured. In this mode, I have a HUGE packet loss >> rate. When setting transparent mode to 1, packet loss reaches 0, but I can't >> capture TX traffic. Is there any thing I'm missing? >> >> Thanks!! >> >> El 28/04/2010 04:21 a.m., fly_2u escribió: >> >>> Just a reference: >>> >>> In the PF_RING source code, there is one line: >>> pfring_toggle_filtering_policy(pd, 0); /*Default to drop */ >>> Maybe you should make some changes for this sentence. >>> 在2010-04-28 05:57:28,"Tomás Heredia" <[email protected]> >>> 写道: >>> >>>> Hi all! >>>> >>>> I'm trying to capture TX packets with PF_RING. Indeed, Snort 2.8.4.1, >>>> PF_RING 4.2.0 and igb driver 2.0.6 >>>> Snort doesn't get TX packets... nor does pfcount or tcpdump (pf_ring >>>> aware libpcap). >>>> Here's /proc/net/pf_ring/info: >>>> ------------------------------------------------ >>>> PF_RING Version : 4.2.0 ($Revision: $) >>>> Ring slots : 32768 >>>> Slot version : 10 >>>> Capture TX : Yes [RX+TX] >>>> IP Defragment : No >>>> Transparent mode : Yes >>>> Total rings : 1 >>>> Total plugins : 0 >>>> --------------------------------- >>>> >>>> And /proc/net/pf_ring/xxxx-eth0.xx: >>>> ------------------------------------- >>>> Bound Device : eth0 >>>> Slot Version : 10 [4.2.0] >>>> Active : 1 >>>> Sampling Rate : 1 >>>> Appl. Name : <unknown> >>>> IP Defragment : No >>>> BPF Filtering : Enabled >>>> # Filt. Rules : 0 >>>> Cluster Id : 0 >>>> Channel Id : 255 >>>> Tot Slots : 32770 >>>> Bucket Len : 1514 >>>> Slot Len : 1600 [bucket+header] >>>> Tot Memory : 52432896 >>>> Tot Packets : 4110275 >>>> Tot Pkt Lost : 0 >>>> Tot Insert : 4110275 >>>> Tot Read : 4110275 >>>> Tot Fwd Ok : 0 >>>> Tot Fwd Errors : 0 >>>> Num Free Slots : 32770 >>>> -------------------------------------- >>>> >>>> Any clues? >>>> >>>> Thanks! >>>> >>>> >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> >>>> >>> [email protected] >>> >>> >>>> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> >>> >>> >>> >>> 有域名马上来,网易免费送你200户自主域名邮箱 >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> >>> >>> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> > --- > We can't solve problems by using the same kind of thinking we used when we > created them - Albert Einstein > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
