Hi Jesse I think that argus is setting the capture len to 224. Don't worry about "Min Num Slots", since the ring size is computed according to caplen and selected min num slots, then rounded up to pow of 2, it could be that for some values of caplen you will have much more slots available in the ring.
Best Regards Alfredo On Sep 24, 2013, at 7:09 PM, Jesse Bowling <[email protected]> wrote: > Hi, > > After compiling and install PF_RING 5.6.1 as well as re-compiling my libpcap > programs (snort and argus), I'm finding some odd results that indicate packet > loss. > > # cat /etc/modprobe.d/pf_ring.conf > options pf_ring transparent_mode=2 enable_tx_capture=0 min_num_slots=4096 > > # cat /proc/net/pf_ring/info > PF_RING Version : 5.6.1 ($Revision: exported$) > Total rings : 3 > Standard (non DNA) Options > Ring slots : 4096 > Slot version : 15 > Capture TX : No [RX only] > IP Defragment : No > Socket Mode : Standard > Transparent mode : No [mode 2] > Total plugins : 0 > Cluster Fragment Queue : 37 > Cluster Fragment Discard : 17 > > My snort instances appear to be performing ok, although I'm not actually > getting any alerts out of them, which is certainly odd...I note that the > Bucket Len and Slot Len appear normal, but the "Min Num Slots" appears off: > # cat 1961-eth3.12 > Bound Device(s) : eth3 > Active : 1 > Breed : Non-DNA > Sampling Rate : 1 > Capture Direction : RX+TX > Socket Mode : RX only > Appl. Name : snort-cluster-44-socket-0 > IP Defragment : No > BPF Filtering : Disabled > # Sw Filt. Rules : 0 > # Hw Filt. Rules : 0 > Poll Pkt Watermark : 128 > Num Poll Calls : 43342 > Channel Id Mask : 0xFFFFFFFF > Cluster Id : 44 > Slot Version : 15 [5.6.1] > Min Num Slots : 4872 > Bucket Len : 1514 > Slot Len : 1720 [bucket+header] > Tot Memory : 8388608 > Tot Packets : 8510075 > Tot Pkt Lost : 7084 > Tot Insert : 8502991 > Tot Read : 8502728 > Insert Offset : 7590592 > Remove Offset : 7325832 > TX: Send Ok : 0 > TX: Send Errors : 0 > Reflect: Fwd Ok : 0 > Reflect: Fwd Errors: 0 > Num Free Slots : 4609 > > > What's worrying is the info provided for the argus instance: > > # cat 1979-eth3.13 > Bound Device(s) : eth3 > Active : 1 > Breed : Non-DNA > Sampling Rate : 1 > Capture Direction : RX+TX > Socket Mode : RX+TX > Appl. Name : <unknown> > IP Defragment : No > BPF Filtering : Disabled > # Sw Filt. Rules : 0 > # Hw Filt. Rules : 0 > Poll Pkt Watermark : 1 > Num Poll Calls : 3543779 > Channel Id Mask : 0xFFFFFFFF > Cluster Id : 0 > Slot Version : 15 [5.6.1] > Min Num Slots : 7912 > Bucket Len : 224 > Slot Len : 264 [bucket+header] > Tot Memory : 2097152 > Tot Packets : 18936475 > Tot Pkt Lost : 15382154 > Tot Insert : 3554321 > Tot Read : 3543765 > Insert Offset : 1212200 > Remove Offset : 1212568 > TX: Send Ok : 0 > TX: Send Errors : 0 > Reflect: Fwd Ok : 0 > Reflect: Fwd Errors: 0 > Num Free Slots : 0 > > > I'm wondering why the number of slots was doubled, the bucket length was > minimized, and why there are no slots free for this instance...Can someone > help me understand what I'm seeing here, and how I might troubleshoot this > issue? > > This box has help many previous instances of PF_RING, and this is the first > version I've seen this odd behavior with. > > Cheers, > > Jesse > > -- > Jesse Bowling > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
