Oh! Sorry, I didn't understand what you were asking. Will follow up, yeah. thanks!
Mike > On Jul 18, 2014, at 11:39, "Alfredo Cardigliano" <[email protected]> wrote: > > Hi Mike > as I said, if it is possible please provide us access to your machine (feel > free to contact me directly) > > Alfredo > >> On 16 Jul 2014, at 19:25, Mike Patterson <[email protected]> wrote: >> >> Sure, just let me know what I should do and I’ll do it. :) The sooner I can >> fix this, the sooner I can release my older hardware to do other things. >> >> Mike >> >>> On Jul 16, 2014, at 12:47 PM, Alfredo Cardigliano <[email protected]> >>> wrote: >>> >>> Hi Mike >>> bpf support in the daq-dna is available since r2679, so it is supposed to >>> work with your version. >>> Do we have a chance to debug this on your machine? >>> >>> Alfredo >>> >>>> On 16 Jul 2014, at 17:51, Mike Patterson <[email protected]> >>>> wrote: >>>> >>>> Hi all, >>>> >>>> On my previous Snort sensor, built on an Endace DAG, I had a BPF for Snort >>>> to exclude certain types of traffic. The BPF worked fine; Snort 2.9.5.1 >>>> and some previous versions. >>>> >>>> When I changed my Snort sensor to an X520 + PF_RING / DNA, that BPF >>>> stopped working. I can tell that Snort is loading it - it says as much in >>>> syslog - but it will still happily alert on traffic matching those >>>> exclusions. >>>> >>>> I’ve tried various iterations (I posted more detail on the snort-users >>>> list if anybody wants to look, or I can re-paste it here), but succinctly: >>>> >>>> 1) I don’t think it’s Snort itself - it did work on my previous platform. >>>> I tried differing versions of Snort just to be sure - 2.9.5.1, 2.9.6.0, >>>> 2.9.6.1. >>>> >>>> 2) I built tcpdump from the PF_RING distribution, and handed it the same >>>> BPF - it worked just fine, or at least, tcpdump didn’t complain about the >>>> BPF. I did a trivial test: >>>> tcpdump -i dna1@0 -n -w test.lpc not net 10.0.0.1/24 >>>> tcpdump -r test.lpc net 10.0.0.1/24 >>>> and got the expected output (nothing). So I *think* that this means >>>> libpcap (also built from PF_RING distribution) is fine. >>>> >>>> 3) Following the advice and some other troubleshooting on snort-users, I >>>> verified that I’m not seeing this traffic as a result of GRE tunnelling or >>>> VLAN tags. >>>> >>>> Versions: >>>> PF_RING 6.0.1 >>>> pfring-daq-module-dna_r2795 (I’d also tried pfring-daq-module-dna_r2521) >>>> >>>> The Intel-based machine is not yet in production, so I can fairly easily >>>> try anything people might suggest. >>>> >>>> Other details of my environment: >>>> RHEL 6.5 >>>> Intel X520 NIC: >>>> 06:00.1 Ethernet controller: Intel Corporation Ethernet 10G 2P X520 >>>> Adapter (rev 01) >>>> >>>> /proc/net/pf_ring/info is: >>>> PF_RING Version : 6.0.1 ($Revision: exported$) >>>> Total rings : 0 >>>> >>>> Standard (non DNA) Options >>>> Ring slots : 16384 >>>> Slot version : 15 >>>> Capture TX : No [RX only] >>>> IP Defragment : Yes >>>> Socket Mode : Standard >>>> Transparent mode : No [mode 2] >>>> Total plugins : 0 >>>> Cluster Fragment Queue : 0 >>>> Cluster Fragment Discard : 0 >>>> >>>> The X520 plugs into a tool port on an Arista 7150S. The DAG plugs into >>>> another tool port on the same switch; both tool ports are in the same >>>> aggregation group, so they should be getting identical data. >>>> >>>> I *do* have the option of applying the BPF on the Arista switch itself, >>>> although I’d rather avoid that if I can. >>>> >>>> Thanks in advance for any advice/debugging suggestions/etc. >>>> >>>> Mike >>>> >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
