Hi, After compiling and install PF_RING 5.6.1 as well as re-compiling my libpcap programs (snort and argus), I'm finding some odd results that indicate packet loss.
# cat /etc/modprobe.d/pf_ring.conf options pf_ring transparent_mode=2 enable_tx_capture=0 min_num_slots=4096 # cat /proc/net/pf_ring/info PF_RING Version : 5.6.1 ($Revision: exported$) Total rings : 3 Standard (non DNA) Options Ring slots : 4096 Slot version : 15 Capture TX : No [RX only] IP Defragment : No Socket Mode : Standard Transparent mode : No [mode 2] Total plugins : 0 Cluster Fragment Queue : 37 Cluster Fragment Discard : 17 My snort instances appear to be performing ok, although I'm not actually getting any alerts out of them, which is certainly odd...I note that the Bucket Len and Slot Len appear normal, but the "Min Num Slots" appears off: # cat 1961-eth3.12 Bound Device(s) : eth3 Active : 1 Breed : Non-DNA Sampling Rate : 1 Capture Direction : RX+TX Socket Mode : RX only Appl. Name : snort-cluster-44-socket-0 IP Defragment : No BPF Filtering : Disabled # Sw Filt. Rules : 0 # Hw Filt. Rules : 0 Poll Pkt Watermark : 128 Num Poll Calls : 43342 Channel Id Mask : 0xFFFFFFFF Cluster Id : 44 Slot Version : 15 [5.6.1] Min Num Slots : 4872 Bucket Len : 1514 Slot Len : 1720 [bucket+header] Tot Memory : 8388608 Tot Packets : 8510075 Tot Pkt Lost : 7084 Tot Insert : 8502991 Tot Read : 8502728 Insert Offset : 7590592 Remove Offset : 7325832 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Num Free Slots : 4609 What's worrying is the info provided for the argus instance: # cat 1979-eth3.13 Bound Device(s) : eth3 Active : 1 Breed : Non-DNA Sampling Rate : 1 Capture Direction : RX+TX Socket Mode : RX+TX Appl. Name : <unknown> IP Defragment : No BPF Filtering : Disabled # Sw Filt. Rules : 0 # Hw Filt. Rules : 0 Poll Pkt Watermark : 1 Num Poll Calls : 3543779 Channel Id Mask : 0xFFFFFFFF Cluster Id : 0 Slot Version : 15 [5.6.1] Min Num Slots : 7912 Bucket Len : 224 Slot Len : 264 [bucket+header] Tot Memory : 2097152 Tot Packets : 18936475 Tot Pkt Lost : 15382154 Tot Insert : 3554321 Tot Read : 3543765 Insert Offset : 1212200 Remove Offset : 1212568 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Num Free Slots : 0 I'm wondering why the number of slots was doubled, the bucket length was minimized, and why there are no slots free for this instance...Can someone help me understand what I'm seeing here, and how I might troubleshoot this issue? This box has help many previous instances of PF_RING, and this is the first version I've seen this odd behavior with. Cheers, Jesse -- Jesse Bowling
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
