Here is what my testing shows when I use Chris' modified script...
I think I've figured it out and I don't know if the bug is with Chris' version of pfdnacluster_master or if it's a bug in pf_ring/DNA/libzero... pfdnacluster_master -i dna0 -c 10 -n 2 -A 1 pfcount -i dnacluster:10@0 - 1.75 Gbps pfcount -i dnacluster:10@1 - 1.35 Gbps pfcount -i dnacluster:10@2 - 1.7 Gbps pfdnacluster_master -i dna0 -c 10 -n 2 -D 2 -A 1 pfcount -i dnacluster:10@0 - 1.76 Gbps pfcount -i dnacluster:10@1 - 1.35 Gbps pfcount -i dnacluster:10@2 - 1.7 Gbps pfcount -i dnacluster:10@3 - 1.4 Gbps pfcount -i dnacluster:10@4 - 3.2 Gbps So, from my testing, it looks like the -A switch only makes a full copy of that traffic on the last queue if the -D switch is also used. >From my reading of the README.libzero file as well as some forums, I should >load pf_ring and ixgbe with something like the following module settings in my >conf file under modprobe.d: options ixgbe MQ=0,0 num_rx_slots=32768 options pf_ring min_num_slots=65536 transparent_mode=2 install ixgbe /sbin/modprobe pf_ring $CMDLINE_OPTS; /sbin/modprobe --ignore-install ixgbe $CMDLINE_OPTS Is that right? In a conversation with Chris, he said he loads ixgbe with RSS=1,1. I thought the whole point of DNA/Libzero was to disable RSS... Thanks. C -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Chris Wakelin Sent: Tuesday, December 04, 2012 2:34 AM To: [email protected] Subject: Re: [Ntop-misc] DNA/Libzero, Snort, and Argus Hi Craig, I meant to reply to this earlier! I've just updated my variant of pfdnacluster_master to reflect the latest PF_RING SVN (attached). It compiles, but I can't test it easily at the moment (I have to go through a change management process before I change anything in PF_RING on our live servers, which are the only ones with Intel cards + DNA, ever since it managed to seriously upset the border switch by *sending* vast quantities of packets to its mirror port. Not sure how that happened - DNA was supposed to be in receive only mode!) You may find that ARGUS will use up all avalaible cycles on its CPU cores (unless the issue with DNA and select() has been fixed). I'm not running it with multiple interfaces at the moment. I'm running with pfdnacluster_master_cdw -i dna0 -c 1 -n 8 -D 2 -A 1 -l 1522 -d to have 8 queues, duplicated, plus an additional queue that gets everything. Suricata is using dnacl1:0-7, Bro IDS is using dnacl1:8-15 and ARGUS is using dnacl1:16 Also make sure you're running an up-to-date ARGUS if you have IPv6 traffic - there was a bug that caused it to modify IPv6 packets in memory, which is disastrous in zero-copy! Best Wishes, Chris On 30/11/12 19:07, Craig Merchant wrote: > We're in the process of deploying the redBorder Snort management > solution > (www.redborder.net<http://www.redborder.net<http://www.redborder.net%3chttp:/www.redborder.net>>). > > The boxes we're using for sensors each have a dual-port fiber adapter > from Silicom with the DNA/libzero license. This is the first time > I've tried to configure DNA and libzero before, so I'd love a little > guidance from the community. Here's what I'm looking to do: > > I want to share traffic between Snort and the Argus flow collector > tool. I want to hash and distribute traffic to Snort such that each > of the 16 instances only sees a subset of the traffic. I want a > single instance of Argus to view all of the traffic. Argus can read > data from multiple interfaces or channels simultaneously. > > Do I use pfdnacluster_master or pfdnacluster_multithread? I'm not > clear on how I can hash the traffic and fan it out to X number of > consumers and then make a zero-copy of that fanned out traffic? > > Thanks. > > Craig > -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, [email protected]<mailto:[email protected]> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
