Tritium
this is definitely a strange behaviour.
Are you using the latest svn revision? Please make sure everything is
recompiled.
After that, can you patch the code with a debug print to check the
pfring_set_cluster() call?
Index: pcap-linux.c
===================================================================
--- pcap-linux.c (revision 5692)
+++ pcap-linux.c (working copy)
@@ -1180,9 +1180,10 @@
if(handle->ring) {
if(clusterId = getenv("PCAP_PF_RING_CLUSTER_ID"))
if(atoi(clusterId) > 0 && atoi(clusterId) < 255)
- if(getenv("PCAP_PF_RING_USE_CLUSTER_PER_FLOW"))
- pfring_set_cluster(handle->ring, atoi(clusterId),
cluster_per_flow);
- else
+ if(getenv("PCAP_PF_RING_USE_CLUSTER_PER_FLOW")) {
+ printf("[DEBUG] pfring_set_cluster(id = %d, type = %d)\n",
atoi(clusterId), cluster_per_flow_5_tuple);
+ pfring_set_cluster(handle->ring, atoi(clusterId),
cluster_per_flow_5_tuple);
+ } else
pfring_set_cluster(handle->ring, atoi(clusterId),
cluster_round_robin);
if(appname = getenv("PCAP_PF_RING_APPNAME"))
Then please recompile libpcap, run a test (for instance with tcpdump) and check
the output:
PCAP_PF_RING_CLUSTER_ID=71 PCAP_PF_RING_USE_CLUSTER_PER_FLOW=1 ./tcpdump -i eth0
Thank you
Alfredo
On Sep 18, 2012, at 9:05 AM, Tritium Cat <[email protected]> wrote:
> On Mon, Sep 17, 2012 at 2:01 PM, Alfredo Cardigliano <[email protected]>
> wrote:
> Tritium
> are you setting both PCAP_PF_RING_CLUSTER_ID and
> PCAP_PF_RING_USE_CLUSTER_PER_FLOW env variables?
> Changing cluster_per_flow to cluster_per_flow_5_tuple should work for you.
> What is the unexpected behaviour you are seeing?
>
>
> Yes, both env variables are set.
>
> The unexpected behavior I'm seeing is a failure to load-balance the traffic
> by 5-tuple.
>
> It only works when I patch PF_RING to prevent assigning the parsed vlan_id.
> (see previous email)
>
> All other attempts fail, including using env variables or directly modifying
> the source to force 5-tuple. (see previous email). As I've said numerous
> times, hash_pkt() does not seem to honor the mask_vlan flag. (see previous
> email)
>
> I am using Bro IDS with PF_RING. Bro IDS will alarm about "split routing" if
> it is missing packets. Unless I use the patch to avoid assigning the
> vlan_id, Bro IDS will constantly alert about missing packets because of what
> I believe is 6-tuple load balancing to the cluster of processes. 6-tuple
> causes a single 5-tuple session to be split into two separate flows because
> of different vlan_id for each direction of traffic. When this happens the
> Bro IDS workers will only see one "side" of the communication and thus
> complain very much.
>
> Once again, when I "patch" PF_RING to ignore the vlan_id the Bro IDS alarms
> go away. I only "patch" PF_RING because all other recommended approaches do
> not work as advertised.
>
> /tc
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
