Chris, I'm not sure that your customized version is operating like it's supposed to and I'm not sure how to go about troubleshooting it.
For example... pfcount -I dna0 shows about 5-6 Gbps of traffic pfdnacluster_master -i dna0 -n 1 -c 10 pfcount -i dnacluster:10 shows about 5-7 Gbps of traffic pfdnacluster_master -i dna0 -n 2 -A 1 -c 10 pfcount -I dnacluster:10@0 shows about 1.65 Gbps pfcount -I dnacluster:10@1 shows about 2 Gbps pfcount -I dnacluster:10@2 shows about 2 Gbps pfdnacluster_master -i dna0 -n 28 -A 1 -c 10 pfcount -I dnacluster:10@0 shows about 0.29 Gbps pfcount -I dnacluster:10@27 shows about 0.15 Gbps pfcount -I dnacluster:10@28 shows about 0.7 Gbps So, it looks like the -A 1 command is creating an additional channel, but that channel definitely isn't seeing all the traffic. Any idea how I can troubleshoot this further? Thanks. Craig -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Chris Wakelin Sent: Tuesday, December 04, 2012 2:34 AM To: [email protected] Subject: Re: [Ntop-misc] DNA/Libzero, Snort, and Argus Hi Craig, I meant to reply to this earlier! I've just updated my variant of pfdnacluster_master to reflect the latest PF_RING SVN (attached). It compiles, but I can't test it easily at the moment (I have to go through a change management process before I change anything in PF_RING on our live servers, which are the only ones with Intel cards + DNA, ever since it managed to seriously upset the border switch by *sending* vast quantities of packets to its mirror port. Not sure how that happened - DNA was supposed to be in receive only mode!) You may find that ARGUS will use up all avalaible cycles on its CPU cores (unless the issue with DNA and select() has been fixed). I'm not running it with multiple interfaces at the moment. I'm running with pfdnacluster_master_cdw -i dna0 -c 1 -n 8 -D 2 -A 1 -l 1522 -d to have 8 queues, duplicated, plus an additional queue that gets everything. Suricata is using dnacl1:0-7, Bro IDS is using dnacl1:8-15 and ARGUS is using dnacl1:16 Also make sure you're running an up-to-date ARGUS if you have IPv6 traffic - there was a bug that caused it to modify IPv6 packets in memory, which is disastrous in zero-copy! Best Wishes, Chris On 30/11/12 19:07, Craig Merchant wrote: > We're in the process of deploying the redBorder Snort management > solution > (www.redborder.net<http://www.redborder.net<http://www.redborder.net%3chttp:/www.redborder.net>>). > > The boxes we're using for sensors each have a dual-port fiber adapter > from Silicom with the DNA/libzero license. This is the first time > I've tried to configure DNA and libzero before, so I'd love a little > guidance from the community. Here's what I'm looking to do: > > I want to share traffic between Snort and the Argus flow collector > tool. I want to hash and distribute traffic to Snort such that each > of the 16 instances only sees a subset of the traffic. I want a > single instance of Argus to view all of the traffic. Argus can read > data from multiple interfaces or channels simultaneously. > > Do I use pfdnacluster_master or pfdnacluster_multithread? I'm not > clear on how I can hash the traffic and fan it out to X number of > consumers and then make a zero-copy of that fanned out traffic? > > Thanks. > > Craig > -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, [email protected]<mailto:[email protected]> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
