Re: [Ntop-misc] Hello! New here, and trying to get PF_RING+DNA going for Snort.

[Alfredo Cardigliano]

Hi Alicia
sorry for our late reply, good to see you solved the issue.

Alfredo

> Il giorno 04/apr/2014, alle ore 15:59, Alicia Smith 
> <alicia.sm...@firehost.com> ha scritto:
> 
> YAY!
>  
> I’ve resolved the original issue. The issue was my interface configuration 
> files.
> I had named the interfaces in pre-existing config files that were for the 
> original network card we replaced with the intel ones.
> While the interfaces would come up – I guess there’s something inherent in 
> RedHat that didn’t like the names of the files.
>  
> I changed the names of the files, and restarted each interface – and voila! I 
> get data in tcpdump now.
> Going to mess around with this a bit more, and get it going.
>  
> Thank you to everyone who responded!
>  
> Alicia Smith
>  
>  
> From: ntop-misc-boun...@listgateway.unipi.it 
> [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Alicia Smith
> Sent: Friday, April 04, 2014 5:54 PM
> To: ntop-misc@listgateway.unipi.it
> Subject: Re: [Ntop-misc] Hello! New here, and trying to get PF_RING+DNA going 
> for Snort.
>  
> Going to add a bit more information to this.
>  
> I did purchase the licensing for my Ethernet card. 
> it’s from Silicom – a 10Gb igxbe intel based card (82599) using the 
> ixgbe-3.18.7-DNA/ driver.
>  
> Here is my /usr/local/include dir
> ls -al /usr/local/include
> total 84
> drwxr-xr-x.  3 root root  4096 Apr  4 18:23 .
> drwxr-xr-x. 13 root root  4096 Mar  3  2012 ..
> drwxr-xr-x   2 root root  4096 Apr  4 18:23 pcap
> -rw-r--r--   1 root root  2393 Apr  4 18:23 pcap-bpf.h
> -rw-r--r--   1 root root  2320 Apr  4 18:23 pcap.h
> -rw-r--r--   1 root root  2125 Apr  4 18:23 pcap-namedb.h
> -rw-r--r--   1 root root 54448 Apr  4 18:21 pfring.h
> -rw-r--r--   1 root root  3891 Apr  4 18:22 pfring_i82599.c
>  
> Running ./pfcount –i dna0 yields zero packets RX and zero dropped.
> Absolute Stats: [0 pkts rcvd][0 pkts filtered][0 pkts dropped]
> Total Pkts=0/Dropped=0.0 %
> 0 pkts - 0 bytes [0.00 pkt/sec - 0.00 Mbit/sec]
> =========================
> Actual Stats: 0 pkts [1'000.20 ms][0.00 pps/0.00 Gbps]
>  
> All of the items such as libpcap, tcpdump, pfring_dna, and the DNA_daq have 
> been installed.
>  
>  
> From: ntop-misc-boun...@listgateway.unipi.it 
> [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Alicia Smith
> Sent: Friday, April 04, 2014 2:18 PM
> To: ntop-misc@listgateway.unipi.it
> Subject: [Ntop-misc] Hello! New here, and trying to get PF_RING+DNA going for 
> Snort.
>  
> I’ve compiled the drivers and everything appeared to be going good.
> However, Snort is no longer seeing traffic, and tcpdump shows no traffic if I 
> try tcpdump –i dna0
>  
> But I know there is traffic:
>  
> dna0     
>           RX packets:3679364 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2023495833 (1.8 GiB)  TX bytes:0 (0.0 b)
>  
> dna0     
>           RX packets:3701482 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2040067400 (1.8 GiB)  TX bytes:0 (0.0 b)
>  
> dna1     
>           RX packets:61999326 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:45521836981 (42.3 GiB)  TX bytes:0 (0.0 b)
>  
> dna1     
>           RX packets:62450299 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:45869728250 (42.7 GiB)  TX bytes:0 (0.0 b)
>  
> Settings are the same for both interfaces:
> Settings for dna0:
>         Supported ports: [ FIBRE ]
>         Supported link modes:   10000baseT/Full
>         Supported pause frame use: No
>         Supports auto-negotiation: No
>         Advertised link modes:  10000baseT/Full
>         Advertised pause frame use: No
>         Advertised auto-negotiation: No
>         Speed: 10000Mb/s
>         Duplex: Full
>         Port: FIBRE
>         PHYAD: 0
>         Transceiver: external
>         Auto-negotiation: off
>         Supports Wake-on: d
>         Wake-on: d
>         Current message level: 0x00000007 (7)
>                                drv probe link
>         Link detected: yes
>  
> Lsmod yields the following:
> [root@PHX01-NIDS snort]# lsmod
> Module                  Size  Used by
> pf_ring               407075  0
> ixgbe                 270444  0
>  
>  
> libpcap and tcpdump were recompiled after the installation of pf_ring.
> I don’t know what other information I can give.
> I only get output from tpcdump if I specify –i any
>  
>  
> Any help would be appreciated.
>  
>  
>  
> --
> Alicia Smith
> Senior Security Engineer, FireHost
>  
> (US: +00) 1 877 262 3473
> (UK: +44) 0800 500 3167
> alicia.sm...@firehost.com
>  
> SECURE CLOUD HOSTING
> North America | Europe | Asia Pacific
> ComputerWorld: 100 Best Places to Work in IT See Current Opportunities
>  
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc