Sure, just let me know what I should do and I’ll do it. :) The sooner I can fix this, the sooner I can release my older hardware to do other things.
Mike On Jul 16, 2014, at 12:47 PM, Alfredo Cardigliano <[email protected]> wrote: > Hi Mike > bpf support in the daq-dna is available since r2679, so it is supposed to > work with your version. > Do we have a chance to debug this on your machine? > > Alfredo > > On 16 Jul 2014, at 17:51, Mike Patterson <[email protected]> wrote: > >> Hi all, >> >> On my previous Snort sensor, built on an Endace DAG, I had a BPF for Snort >> to exclude certain types of traffic. The BPF worked fine; Snort 2.9.5.1 and >> some previous versions. >> >> When I changed my Snort sensor to an X520 + PF_RING / DNA, that BPF stopped >> working. I can tell that Snort is loading it - it says as much in syslog - >> but it will still happily alert on traffic matching those exclusions. >> >> I’ve tried various iterations (I posted more detail on the snort-users list >> if anybody wants to look, or I can re-paste it here), but succinctly: >> >> 1) I don’t think it’s Snort itself - it did work on my previous platform. I >> tried differing versions of Snort just to be sure - 2.9.5.1, 2.9.6.0, >> 2.9.6.1. >> >> 2) I built tcpdump from the PF_RING distribution, and handed it the same BPF >> - it worked just fine, or at least, tcpdump didn’t complain about the BPF. I >> did a trivial test: >> tcpdump -i dna1@0 -n -w test.lpc not net 10.0.0.1/24 >> tcpdump -r test.lpc net 10.0.0.1/24 >> and got the expected output (nothing). So I *think* that this means libpcap >> (also built from PF_RING distribution) is fine. >> >> 3) Following the advice and some other troubleshooting on snort-users, I >> verified that I’m not seeing this traffic as a result of GRE tunnelling or >> VLAN tags. >> >> Versions: >> PF_RING 6.0.1 >> pfring-daq-module-dna_r2795 (I’d also tried pfring-daq-module-dna_r2521) >> >> The Intel-based machine is not yet in production, so I can fairly easily try >> anything people might suggest. >> >> Other details of my environment: >> RHEL 6.5 >> Intel X520 NIC: >> 06:00.1 Ethernet controller: Intel Corporation Ethernet 10G 2P X520 Adapter >> (rev 01) >> >> /proc/net/pf_ring/info is: >> PF_RING Version : 6.0.1 ($Revision: exported$) >> Total rings : 0 >> >> Standard (non DNA) Options >> Ring slots : 16384 >> Slot version : 15 >> Capture TX : No [RX only] >> IP Defragment : Yes >> Socket Mode : Standard >> Transparent mode : No [mode 2] >> Total plugins : 0 >> Cluster Fragment Queue : 0 >> Cluster Fragment Discard : 0 >> >> The X520 plugs into a tool port on an Arista 7150S. The DAG plugs into >> another tool port on the same switch; both tool ports are in the same >> aggregation group, so they should be getting identical data. >> >> I *do* have the option of applying the BPF on the Arista switch itself, >> although I’d rather avoid that if I can. >> >> Thanks in advance for any advice/debugging suggestions/etc. >> >> Mike >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
