Enrico the libpfring library is not able to set BPF filters as they fall into the libpcap domain, not PF_RING. MY colleague Alfredo is working at a fix for it that will be out later this week, so you won't have to wait too long.
Can you please let us know how to reproduce the DNA issues? Regards Luca On Sep 26, 2011, at 12:33 PM, Enrico Papi wrote: > Hi Luca, > > this is our system setup: > • RedHatEnterpriseLinux 6.1 > • Kernel 2.6.38.8 > • libnl-devel installed > • libpcap-1.1.1-ring > • PF_RING 5.1 [modprobe pf_ring transparent_mode=1 enable_tx_capture=0 > quick_mode=1] > • NICS: > • Intel 82576 with PF_RING_aware driver using NAPI (DCA and > MSI-X) [module loadef aftet pf_ring.ko] > • Chelsio T4 using vanilla kernel driver cxgb4 [module loadef > aftet pf_ring.ko] > • another Broadcom card for management using vanilla kernel > driver. > And we want to use the following software: > • tcpdump, for sniffing and testing libpcap / performance on all NICS > • snort : > • in passive mode using daq pcap (passive) module on the > Chelsio T4 NIC > • leveraging PF_RING aware drivers using daq pf_ring (passive) > module for the Intel NIC > Everything works fine if we simply: > • sniff traffic with tcpdump (compiled with -lpf_ring) on the Intel NIC > • start snort (compiled with -lpf_ring) with daq pf_ring on the Intel > NIC > Problems appears when we want to: > • sniff traffic with the same tcpdump (compiled with -lpf_ring) on the > Chelsio T4 NIC: tcpdump starts but it does not receive/see any packets. at > the kernel level (ifconfig) pkts arrives... > • start the same snort with daq pcap (compiled with -lpf_ring) on the > Chelsio T4 NIC: > • "pcap DAQ configured to passive. > Acquiring network traffic from "eth2". > ERROR: Can't set DAQ BPF filter to '/usr/local/etc/snort/vlan/snort.conf' > (pcap_daq_set_filter: pcap_compile: syntax error)!" > • exactly the same happens on the Broadcom mgmt NIC. > To get everything working at the same time we have to recompile libpcap and > daq and tcpdump without pf_ring support (so we lose support for intel pf_ring > drivers) > So in a few words the problem is that we cannot use with the same sniffing > software with both pf_ring aware drivers and vanilla drivers. > Accordingly to pf_ring docs and manuals and webpages and blogs this should be > possible , expecially with transparent_mode=1 > > This looks like a problem of the pfring library to me and not of the pf_ring > kernel module or drivers. > For example, if we do not load pf_ring module and pf_ring aware drivers, and > simply sniff the traffic on the Chelsio T4 with Snort or TCPDump, we have the > same problems!!! > So these applications, once they are compiled on libpcap-1.1.1-pfring , > cannot sniff on standard NICS. > > ....... > i have absolutely no other clues.... > also i would like to report that in the same system with the same tools / > versions the igb - DNA drivers causes a kernel panic when we start a pcap > dependent application on it. > > Any suggestion is welcome. > > Enrico. > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc --- We can't solve problems by using the same kind of thinking we used when we created them - Albert Einstein _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
