On Mon, Sep 17, 2012 at 2:01 PM, Alfredo Cardigliano <[email protected]>wrote:
> Tritium > are you setting both PCAP_PF_RING_CLUSTER_ID > and PCAP_PF_RING_USE_CLUSTER_PER_FLOW env variables? > Changing cluster_per_flow to cluster_per_flow_5_tuple should work for you. > What is the unexpected behaviour you are seeing? > Yes, both env variables are set. The unexpected behavior I'm seeing is a failure to load-balance the traffic by 5-tuple. It only works when I patch PF_RING to prevent assigning the parsed vlan_id. (see previous email) All other attempts fail, including using env variables or directly modifying the source to force 5-tuple. (see previous email). As I've said numerous times, hash_pkt() does not seem to honor the mask_vlan flag. (see previous email) I am using Bro IDS with PF_RING. Bro IDS will alarm about "split routing" if it is missing packets. Unless I use the patch to avoid assigning the vlan_id, Bro IDS will constantly alert about missing packets because of what I believe is 6-tuple load balancing to the cluster of processes. 6-tuple causes a single 5-tuple session to be split into two separate flows because of different vlan_id for each direction of traffic. When this happens the Bro IDS workers will only see one "side" of the communication and thus complain very much. Once again, when I "patch" PF_RING to ignore the vlan_id the Bro IDS alarms go away. I only "patch" PF_RING because all other recommended approaches do not work as advertised. /tc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
