Hi Luca, I can repeat the test with pfdump when I'm back at my computer, but is there something in particular you're looking for that wasn't in the pfcount output I provided? Shouldn't all the traffic from that one TCP stream be sent to one instance of pfcount?
Thanks, Doug On Sunday, June 2, 2013, Luca Deri wrote: > Hi > You're right. We need to add it: you can c&p the code from pfcount in the > meantime > > Luca > > On Jun 2, 2013, at 1:54 AM, Doug Burks <[email protected]> wrote: > > > I have pfdump now but I don't see a cluster-id option. Did you mean > > pfcount? If I run 2 instances of pfcount with the same cluster-id and > > then replay a pcap with 10 packets all belonging to the same TCP > > stream, I get 5 packets being sent to each pfcount instance. > > Shouldn't all 10 packets be sent to 1 instance? > > > > First instance: > > > > sudo ./pfcount -c77 -i eth1 > > <snip> > > ========================= > > Absolute Stats: [5 pkts rcvd][5 pkts filtered][0 pkts dropped] > > Total Pkts=5/Dropped=0.0 % > > 5 pkts - 434 bytes [0.38 pkt/sec - 0.00 Mbit/sec] > > ========================= > > Actual Stats: 5 pkts [1'000.75 ms][5.00 pps/0.00 Gbps] > > ========================= > > > > Second instance: > > > > sudo ./pfcount -c77 -i eth1 > > <snip> > > ========================= > > Absolute Stats: [5 pkts rcvd][5 pkts filtered][0 pkts dropped] > > Total Pkts=5/Dropped=0.0 % > > 5 pkts - 834 bytes [0.62 pkt/sec - 0.00 Mbit/sec] > > ========================= > > Actual Stats: 5 pkts [1'001.39 ms][4.99 pps/0.00 Gbps] > > ========================= > > > > The replayed pcap is just ten packets that result from "curl > testmyids.com": > > > > tcpdump -nnr testmyids.pcap > > reading from file testmyids.pcap, link-type EN10MB (Ethernet) > > 11:46:11.691648 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > > [S], seq 3840903154, win 42340, options [mss 1460,sackOK,TS val > > 20137183 ecr 0,nop,wscale 11], length 0 > > 11:46:11.808833 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > > [S.], seq 2859277445, ack 3840903155, win 5840, options [mss > > 1460,nop,wscale 7], length 0 > > 11:46:11.808854 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > > [.], ack 1, win 21, length 0 > > 11:46:11.809083 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > > [P.], seq 1:166, ack 1, win 21, length 165 > > 11:46:11.927518 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > > [.], ack 166, win 54, length 0 > > 11:46:12.036708 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > > [P.], seq 1:260, ack 166, win 54, length 259 > > 11:46:12.036956 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > > [.], ack 260, win 21, length 0 > > 11:46:12.037206 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > > [F.], seq 166, ack 260, win 21, length 0 > > 11:46:12.154641 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > > [F.], seq 260, ack 167, win 54, length 0 > > 11:46:12.154888 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > > [.], ack 261, win 21, length 0 > > > > Any ideas? > > > > Thanks, > > Doug > > > > On Sat, Jun 1, 2013 at 5:48 PM, Doug Burks <[email protected]> wrote: > >> On Sat, Jun 1, 2013 at 10:24 AM, Luca Deri <[email protected]> wrote: > >>> Hi Doug > >>> > >>> On Jun 1, 2013, at 6:59 AM, Doug Burks <[email protected]> wrote: > >>> > >>>> Hello all, > >>>> > >>>> I recently packaged PF_RING 5.5.3 for my Security Onion distro: > >>>> > http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html > >>>> > >>>> Perhaps I'm missing something, but I'm seeing some behavior I don't > >>>> remember seeing in 5.5.2 or previous versions of PF_RING. > >>>> > >>>> Here are my testing parameters: > >>>> - starting off with a good test, if I run just one instance of snort, > >>>> I get an alert from rule 2100498 for EACH time I run "curl > >>>> testmyids.com" > >>>> - if I increase to two instances of snort with the same cluster-id, I > >>>> get NO alerts when running "curl testmyids.com" > >>>> - if I set the daq clustermode to 2, I get NO alerts when running > >>>> "curl <http://testmyids.com>> > _______________________________________________ > > Ntop-misc mailing list > > [email protected] <javascript:;> > > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] <javascript:;> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > -- Doug Burks http://securityonion.blogspot.com
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
