We don't see any drops, the frag packets are simply "missing". We noticed this with 16-byte as well.
Using BreakingPoint 10g traffic generator we can send packets with different fragment attack methods. Anything less than 24-byte fragments does not get reassembled completely. 24-byte and above reassemble fine. We noticed this when packet captures showed some fragments missing in Wireshark when looking at the pcaps. The fragments that are there seem to be assembled in proper sequence. If we disable defrag in pfring.conf or remove pf_ring from the picture, all fragmented packets arrive. We tested using: CentOS 6.4 - kernel 2.6.32-358.14.1 X_64. PF_RING Versions: 5.6.0 and 5.6.1 Traffic speeds: 200Mb/s - 600Mb/s VMWare ESXi Intel 10G NIC Driver for 10G CentOS - VMXNet3 and the NIC is NOT bridged directly to the VM. Driver for 1G system - e1000 pfring enabled. Defrag is enabled via pfring.conf and verified. Transparent mode - 0 ( for these tests) Test method - frag - 8-byte and 8-byte out-of-order ( 16 byte has the same issues ) Sifting through the code we see the ip_defrag is a call to the CentOS kernels' internal defrag routine. So this begs the question of kernel "tuning". Although I don't find anything directly effecting that issue. So my question is, has anyone else noticed this behavior and was there a way to correct it? Regards, -Scott _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
