Michal enable_frag_coherence does not reassemble ip fragments, it ensures flow coherence when computing the hash, this way snort receives all the fragments belonging to the same flow even if you are using a 5-tuple hashing for instance (only the first fragment has L4 info)
Alfredo On Jun 7, 2013, at 12:55 PM, Michal Purzynski <[email protected]> wrote: > On 6/7/13 12:48 PM, Alfredo Cardigliano wrote: >> Hi Michal >> this could be normal in case you have fragments (pf_ring discards fragments >> when unable to keep track of the flow, in case of orphan fragments for >> instance). >> If your network does not have fragments, please send us a pcap and your >> configuration in order to reproduce the issue. >> If you want to disable fragment handling, you can use the >> enable_frag_coherence=0 parameter when insmod'ing pf_ring.ko (this option is >> available in svn) > That group of sensors gets (among others) the traffic in front of the load > balancers, which might be fragmented, i suppose. > > What's the difference between handling fragments in pf_ring (does it > reassemble them?) and leaving this option off and having it done by snort? Or > am I misunderstanding something? > > Thanks for the explanation! > >> >> Alfredo >> >> On Jun 7, 2013, at 11:49 AM, Michal Purzynski <[email protected]> wrote: >> >>> On 6/6/13 6:40 PM, Alfredo Cardigliano wrote: >>>> Hi Michal >>>> this is a bug we fixed yesterday, we will release a new tarball asap, in >>>> the meantime you can use a previous version or checkout from svn >>> Cluster Fragment Queue : 361 >>> Cluster Fragment Discard : 108136 >>> >>> 09:46:02 up 4 min, 1 user, load average: 14.65, 7.31, 2.90 >>> >>> After updating to the SVN version. Still, the discard isn't at zero. >>> >>>> Best Regards >>>> Alfredo >>>> >>>> On Jun 6, 2013, at 4:36 PM, Michal Purzynski <[email protected]> wrote: >>>> >>>>> Hello, >>>>> >>>>> I've noticed something that wasn't here previously, and now I'm wondering >>>>> - is it normal for the counters to have such a high value? Especially the >>>>> "Cluster Fragment Discard". >>>>> >>>>> cat /proc/net/pf_ring/info >>>>> PF_RING Version : 5.5.3 ($Revision: exported$) >>>>> Total rings : 14 >>>>> >>>>> Standard (non DNA) Options >>>>> Ring slots : 4096 >>>>> Slot version : 15 >>>>> Capture TX : Yes [RX+TX] >>>>> IP Defragment : No >>>>> Socket Mode : Standard >>>>> Transparent mode : Yes [mode 0] >>>>> Total plugins : 0 >>>>> Cluster Fragment Queue : 2318 >>>>> Cluster Fragment Discard : 2270689567 >>>>> >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
