Enrico see inline On Sep 26, 2011, at 8:48 PM, Enrico Papi wrote:
> we are not setting any BPF filter in snort config > consider my previous post without that snort output error. > our problem shows up doing the following steps: > compile the tcpdump included in the pf_ring tar with libpcap-1.1.1-pf_ring > support > start sniffing with that tcpdump on an interface not pf_ring aware after > loading pf_ring module in trasparent mode = 1 > results: you do not see any packets > is it normal? can you try it? Yes, it is normal. When PF_RING is in transparent_mode=1,2, it expects to receive packets directly from the NIC, and does *not* listen for packets coming from the linux stack. > > you can reproduce the same problem (no packets received) using a pf_ring > aware snort with daq PCAP (not daq pfring) on a non pf_ring nic. > in both those cases libpfring should not be used as i am not sniffing on a > pfring nic but on a standard nic and i should see packets since i am simply > using tcpdump on a standard nic. > for now i have solved in the following way: > use snort daq pfring for all snort instances (even on the NICs not pfring > aware) -- is it correct? why it works ??? > use a tcpdump version compiled using libpcap-pfring library but without > -lpf_ring flag -- why it works ??? > > a further question: > can i put pf_ring in transparent mode=2 and use pf_ring aware applications > also for standard NICS? No, with vanilla drivers you have to use transparent_mode=0 Best regards Alfredo > for example, in the same enviroment described in the previous post, it would > mean using snort with daq pfring on the intel NIC and the same snort binary > with daq pcap on the Chelsio T4. > accordingly to what happens now in my system i would not see the packets > flowing in the Chelsio...... > > about DNA igb driver: > i have to say that we have done simply a test and we do not intend to use dna > features. > > you can reproduce the problem doing: > compile pf_ring kernel mod, compile libpfing with dna support, compile > libpcap-pfiring, compile tcpdump with libpcap-pfring support > load pfring module in trasparent_mode = 2 , no tx mode, quickmode=1 > compile and load igb 3.x DNA driver > start sniffing with tcpdump like this #tcpdump -i dna0 > SYSTEM HANGS.....(i do not have trace file) > the system spec are the same of the prev. post. > > > On 09/26/2011 12:33 PM, Enrico Papi wrote: >> >> Enrico >> the libpfring library is not able to set BPF filters as they fall into the >> libpcap domain, not PF_RING. MY colleague Alfredo is working at a fix for it >> that will be out later this week, so you won't have to wait too long. >> >> Can you please let us know how to reproduce the DNA issues? >> >> Regards Luca >> >> > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
