Hi Guys, It seems that many people run into the same issue.How about integrating a PF_RING aware (ixgbe) patch? E.g., http://www.mail-archive.com/[email protected]/msg05571.html http://patchwork.ozlabs.org/patch/48594/ Same phenomena happens in PF_RING-5.6.0 with Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection while running tcpdump (either built-in or external), pfcount_multichannel, etc. I believe a cleaner approach will not require patching (calling .._set_cluster), recompilation and ENV setting. Best, Oren > Date: Tue, 19 Mar 2013 14:19:00 -0500 > From: [email protected] > To: [email protected] > Subject: Re: [Ntop-misc] Using PF_RING Aware Drivers with VLAN Trunk > > I did at runtime with switches: > > snort -c /opt/snort-2.9.4.1/etc/snort.conf -D -y -i p1p1 --daq-dir > /usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode passive > > I was just about to post back, I unloaded all the kernel modules, > rebooted, recompiled and reloaded the modules and something is finally > working. Now I just have to work out how to cluster Snort on pfring > properly, but that is outside the scope of these threads. > > Thanks for all the quick replies and help, if I figure out what did it I > will provide back the information, since I have to go through this setup > a few more times. > > > On 03/19/2013 02:12 PM, Justin Azoff wrote: > > On Tue, Mar 19, 2013 at 01:44:31PM -0500, Ryan wrote: > >> The pf_ring daq is also using the libpcap out of the > >> PF_RING/userland/libpcap. > >> > >> # ldd /usr/local/lib/daq/daq_pfring.so > >> linux-vdso.so.1 => (0x00007fff197bf000) > >> libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007fee9344e000) > >> libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fee931f8000) > >> libpfring.so => /usr/local/lib/libpfring.so (0x00007fee92fd3000) > >> libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fee92db1000) > >> libc.so.6 => /lib64/libc.so.6 (0x00007fee92a1d000) > >> /lib64/ld-linux-x86-64.so.2 (0x00007fee93878000) > >> > >> There was someone encountering similar issues to me in the list, see > >> this archive on Gossamer Threads: > >> http://www.gossamer-threads.com/lists/ntop/misc/29722?do=post_view_threaded > >> > >> Unfortunately he never replied with is fix. > >> > >> Everything has officially been recompiled and double checked on > >> using the right libpcap. I'm at a loss at this point. > >> > >> Thanks for the help so far! > > Did you reconfigure snort to use the pf_ring DAQ module? > > > > config daq: pfring > > config daq_var: clusterid=10 > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
