Hi, I've downloaded and compiled the latest svn PF_RING and snort (2.9.6.0).
pf_ring kernel module loaded (ransparent_mode=0 min_num_slots=32768 enable_tx_capture=0) $ cat /proc/net/pf_ring/info PF_RING Version : 5.6.3 ($Revision: exported$) Total rings : 2 Standard (non DNA) Options Ring slots : 32768 Slot version : 15 Capture TX : No [RX only] IP Defragment : No Socket Mode : Standard Transparent mode : Yes [mode 0] Total plugins : 0 Cluster Fragment Queue : 0 Cluster Fragment Discard : 0 and snort executed as follows (no rules):- # /usr/local/bin/snort -A console --daq-dir=/usr/local/lib/daq --daq pfring --daq-var fast-tx=1 --daq-var clusterid=10,11 --daq-var bindcpu=3 -i eth8:eth9 -Q I have one host connected on eth8 and one on eth9. When I ping one host from the other, I see the packet header in the console and the ICMP replies are received, however the RTTs are over 1000ms. ssh or ftp across the link is unusable. By comparison, if I use afpacket daq, performance is excellent. On a side note, if I invoke another instance of snort using pf_ring, I do not see a load balance of packets either. Anyone have similar problems? I'm thinking of trying ubuntu 13.10 to see if it makes any difference.
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
