Hi Luca,
this is our system setup:
* RedHatEnterpriseLinux 6.1
* Kernel 2.6.38.8
* libnl-devel installed
* libpcap-1.1.1-ring
* PF_RING 5.1 [modprobe pf_ring transparent_mode=1 enable_tx_capture=0
quick_mode=1]
* NICS:
o Intel 82576 with PF_RING_aware driver using NAPI (DCA and MSI-X)
[module loadef aftet pf_ring.ko]
o *Chelsio T4 using vanilla kernel driver cxgb4* [module loadef
aftet pf_ring.ko]
o another Broadcom card for management using vanilla kernel driver.
And we want to use the following software:
* tcpdump, for sniffing and testing libpcap / performance on all NICS
* snort :
o *in passive mode using daq pcap (passive) module on the Chelsio
T4 NIC
*
o *leveraging PF_RING aware drivers using daq pf_ring (passive)
module *for the Intel NIC
_Everything works fine_ if we simply:
* sniff traffic with tcpdump (compiled with -lpf_ring) on the Intel NIC
* start snort (compiled with -lpf_ring) with daq pf_ring on the Intel NIC
_Problems appears when_ we want to:
* sniff traffic with the same tcpdump (compiled with -lpf_ring) on the
Chelsio T4 NIC: *tcpdump starts but it does not receive/see any
packets. at the kernel level (ifconfig) pkts arrives...*
* start the same snort with daq pcap (compiled with -lpf_ring) on the
Chelsio T4 NIC:
o *"pcap DAQ configured to passive.
Acquiring network traffic from "eth2".
ERROR: Can't set DAQ BPF filter to
'/usr/local/etc/snort/vlan/snort.conf' (pcap_daq_set_filter:
pcap_compile: syntax error)!"*
* exactly the same happens on the Broadcom mgmt NIC.*
*
To get everything working at the same time we have to recompile libpcap
and daq and tcpdump without pf_ring support (so we lose support for
intel pf_ring drivers)
So in a few words the problem is that we cannot use with the same
sniffing software with both pf_ring aware drivers and vanilla drivers.
Accordingly to pf_ring docs and manuals and webpages and blogs this
should be possible , expecially with transparent_mode=1
This looks like a problem of the pfring library to me and not of the
pf_ring kernel module or drivers.
*For example, if we do not load pf_ring module and pf_ring aware
drivers, and simply sniff the traffic on the Chelsio T4 with Snort or
TCPDump, we have the same problems!!!
*So these applications, once they are compiled on *libpcap-1.1.1-pfring
, cannot sniff on standard NICS.*
.......
i have absolutely no other clues....
also i would like to report that in the same system with the same tools
/ versions the igb - DNA drivers causes a kernel panic when we start a
pcap dependent application on it.
Any suggestion is welcome.
Enrico.
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
