If I understand you right: Every Application that opens a connection to this port, by using the pcap library provided by pf_ring, will get a full copy of the stream right? No splitting of data between the listening Apps?
Regards Stefan -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Alfredo Cardigliano Gesendet: Dienstag, 4. September 2012 10:30 An: [email protected] Betreff: Re: [Ntop-misc] traffic duplication with pf_ring aware driver and pf_ring? Stefan If I understand you correctly, you don't need any special configuration, open the same interface and that's it (every application on top of PF_RING receives a copy of the traffic with the drivers/mode you are using) Regards Alfredo On Sep 4, 2012, at 10:13 AM, <[email protected]> wrote: > I have only 1 stream for delivery and I would like to analyze this stream > with multiple Application. > For that I need to duplicate the stream, so that every App gets the full > stream. > A standard cluster is not solving this problem because my Apps have different > functionality. (1x snort 1x passivedns) > > I believe, that this is a common problem and it would be a good idea if this > copy job is execute > in the kernel to save time and performance. I hope I was able to clarify what > I want to do. > > Regards Stefan > > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] Im Auftrag von Alfredo > Cardigliano > Gesendet: Dienstag, 4. September 2012 09:53 > An: [email protected] > Betreff: Re: [Ntop-misc] traffic duplication with pf_ring aware driver and > pf_ring? > > Stefan > I guess your applications are working fine on top of the PF_RING-aware > drivers with transparent_mode=0, and > your problem is the "traffic duplication on a 2nd virtual nic interface", > right? What do you mean exactly with it? > > Regards > Alfredo > > On Sep 4, 2012, at 9:25 AM, <[email protected]> wrote: > >> Hey Alfredo, >> >> I'm using the following components: >> >> Kernel : 3.0.42-030042-generic >> pf_ring : 5.4.6 >> NIC driver : pf_ring aware driver for Intel e1000 card (e1000-8-0-35) >> daq-1.1.1 >> >> >> pf_ring config: >> >> root@so2978:/data_fd2/snort/log# cat /proc/net/pf_ring/info >> PF_RING Version : 5.4.6 ($Revision: 5662$) >> Ring slots : 8192 >> Slot version : 14 >> Capture TX : No [RX only] >> IP Defragment : No >> Socket Mode : Standard >> Transparent mode : Yes (mode 0) >> Total rings : 1 >> Total plugins : 0 >> >> >> Thanks for your help >> Stefan >> >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: [email protected] >> [mailto:[email protected]] Im Auftrag von Alfredo >> Cardigliano >> Gesendet: Montag, 3. September 2012 15:33 >> An: [email protected] >> Betreff: Re: [Ntop-misc] traffic duplication with pf_ring aware driver and >> pf_ring? >> >> Stefan >> can you provide more info about drivers (vanilla/DNA/PF_RING-aware) and >> other configurations (transparent_mode, ..) you are using? >> >> Alfredo >> >> On Sep 3, 2012, at 2:34 PM, <[email protected]> wrote: >> >>> Hello, >>> >>> I would like to share received data to 2 different Application. 1 is snort >>> and the 2. is a passive dns app. >>> I have snort and passive dns up and running. >>> >>> snort,daq and pf_ring is in use with an e1000 card. >>> >>> Can anybody give me some hits how to configure the system, so that I get a >>> traffic duplication on a 2nd virtual nic interface? >>> >>> Thanks for your help >>> Stefan >>> >>> >>> __________________________________________ >>> Stefan Egger, MAS IT / Security >>> Securityarchitekt CSIRT >>> >>> Eidgenössisches Finanzdepartement EFD >>> Bundesamt für Informatik und Telekommunikation BIT >>> IT-Sicherheit und Risikomanagement BPSR >>> Monbijoustrasse 74, 3003 Bern >>> Tel: +41 31 322 14 54 >>> Fax: +41 31 325 90 30 >>> [email protected] >>> Internet: http://www.bit.admin.ch >>> >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
