ah, that helps a lot. Thanks. Everything seems to be working just fine, I suppose I got a little ahead of myself.
I switched to transparent mode two because the first two weren't cutting it; two provides a huge improvement over the other two. <--*sentence lol* I have 6 NIC's in this machine with PF_RING and the PF_RING "aware" NIC driver loaded, and all NIC's show up in /proc/net/pf_ring/dev. In transparent mode 2, normal networking still functions, unless I launch a libpcap program to sniff on the only interface with an IP address. Once I listen on that interface, I can no longer send out traffic., but once I kill the application, all is well again. That works out well, I was afraid I wasn't going to be able to send out e-mail alerts and make DNS queries (the interface's only purpose) I wasn't sure if you could set PF_RING to only use certain interfaces. I couldn't find anything from a Google search or from the User Guide. Anyways, Thanks!!! On Thu, Sep 22, 2011 at 12:52 PM, Chris Wakelin <[email protected]>wrote: > It *is* using PF_RING *unless* you set the variable. > > You can prove it if you like by setting "transparent_mode=2" when you > load the pf_ring module, assuming you're using a PF_RING-enabled > ethernet driver as well (DON'T do this unless your management is on a > different network interface or you'll disconnect yourself!). The > PF_RING-enabled tcpdump will see traffic, but the ordinary one won't. > > You'll also get stuff in /proc/net/pf_ring/<pid>-ethX if the module is > in use. > > Best Wishes, > Chris > > On 22/09/11 17:41, Jon Schipp wrote: > > If it's not using PF_RING because of the variable, any idea on how to > > disable the variable? > > > > I grep'd through the sources looking for that string, in hopes to remove > > that line, it seems to only be present in the binary. > > > > I'm not sure how you would pass the option to disable it through > configure. > > > > I tried --disable-FEATURE=PCAP_NO_PF_RING > > and --disable-PCAP_NO_PF_RING > > > > Any ideas? > > > > On Thu, Sep 22, 2011 at 11:49 AM, Chris Wakelin > > <[email protected]>wrote: > > > >> On 22/09/11 16:27, Jon Schipp wrote: > >>> Hey Chris, > >>> > >>> PCAP_NO_PF_RING is present in the strings output. I take it that it's > not > >>> using PF_RING? > >> > >> Yes it is! That's an environment variable you can set if you want to > >> disable PF_RING when using the PF_RING-enabled libpcap. It'll only be > >> there if it was compiled with the latter. > >> > >> Best Wishes, > >> Chris > >> > >>> On Thu, Sep 22, 2011 at 11:10 AM, Chris Wakelin > >>> <[email protected]>wrote: > >>> > >>>> The PF_RING library gets statically linked into libpcap and tcpdump, I > >>>> believe. Try "strings tcpdump" and see if you get things like > >>>> "PCAP_NO_PF_RING" in it. > >> > > > -- > --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- > Christopher Wakelin, [email protected] > IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 > Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094 > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > -- - Jon -- ------------------------------------------------------------------ VMB: 812-682-0231 Dubois County Linux User Group - http://www.dclinux.org Southern Indiana Computer Klub - http://sickbits.networklabs.org Bloomington FOOLS - http://www.bloomingtonfools.org/ BloomingLabs - http://www.bloominglabs.org ISSA-Kentuckiana - http://issa-kentuckiana.org GPG Key ID: 810903CB Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
