It *is* using PF_RING *unless* you set the variable. You can prove it if you like by setting "transparent_mode=2" when you load the pf_ring module, assuming you're using a PF_RING-enabled ethernet driver as well (DON'T do this unless your management is on a different network interface or you'll disconnect yourself!). The PF_RING-enabled tcpdump will see traffic, but the ordinary one won't.
You'll also get stuff in /proc/net/pf_ring/<pid>-ethX if the module is in use. Best Wishes, Chris On 22/09/11 17:41, Jon Schipp wrote: > If it's not using PF_RING because of the variable, any idea on how to > disable the variable? > > I grep'd through the sources looking for that string, in hopes to remove > that line, it seems to only be present in the binary. > > I'm not sure how you would pass the option to disable it through configure. > > I tried --disable-FEATURE=PCAP_NO_PF_RING > and --disable-PCAP_NO_PF_RING > > Any ideas? > > On Thu, Sep 22, 2011 at 11:49 AM, Chris Wakelin > <[email protected]>wrote: > >> On 22/09/11 16:27, Jon Schipp wrote: >>> Hey Chris, >>> >>> PCAP_NO_PF_RING is present in the strings output. I take it that it's not >>> using PF_RING? >> >> Yes it is! That's an environment variable you can set if you want to >> disable PF_RING when using the PF_RING-enabled libpcap. It'll only be >> there if it was compiled with the latter. >> >> Best Wishes, >> Chris >> >>> On Thu, Sep 22, 2011 at 11:10 AM, Chris Wakelin >>> <[email protected]>wrote: >>> >>>> The PF_RING library gets statically linked into libpcap and tcpdump, I >>>> believe. Try "strings tcpdump" and see if you get things like >>>> "PCAP_NO_PF_RING" in it. >> -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, [email protected] IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094 _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
