On 05 Aug 2014, at 20:09, Doug Burks <[email protected]> wrote: > Thanks for the prompt response! > > As you may know, lots of Ubuntu 12.04 systems are running kernels that > will reach EOL in a few days (August 8) and will need to upgrade to > kernel 3.13: > https://wiki.ubuntu.com/1204_HWE_EOL > > Given that, do you have any recommendations?
We already support Ubuntu 14.04 LTS with kernel 3.13.0: http://www.nmon.net/apt/ > > Is svn considered stable right now? Yes, there are not well-known open issues at the moment. Alfredo > > On Tue, Aug 5, 2014 at 1:55 PM, Alfredo Cardigliano > <[email protected]> wrote: >> Hi Doug >> see inline >> >> On 05 Aug 2014, at 17:57, Doug Burks <[email protected]> wrote: >> >>> Hi Alfredo, >>> >>> I've packaged PF_RING 6.0.1 in hopes of supporting Ubuntu's newer >>> Hardware Enablement Stack which includes Linux kernel 3.13. I just >>> happened to come across this thread. A few questions: >>> >>> - any idea when the next stable version (6.0.2) will be released? >> >> Probably mid/late september >> >>> - can you provide more detail about the fixes in svn? Were the fixes >>> just in the kernel module itself? Can I safely update the kernel >>> module component and keep the rest of my packages the same? >> >> Since we changed some data structures shared between kernel and userspace, >> you should update everything. >> We will provide the changelog with the next release. >> >> Alfredo >> >>> >>> Thanks, >>> Doug >>> >>> On Tue, Jul 22, 2014 at 10:50 AM, Alfredo Cardigliano >>> <[email protected]> wrote: >>>> Hi Jason >>>> the code in svn contains some fixes for kernel 3.13, thus I cannot tell >>>> you 6.0.1 supports kernel 3.13. >>>> >>>> Alfredo >>>> >>>> On 20 Jul 2014, at 19:25, dn1nj4 <[email protected]> wrote: >>>> >>>>> Hey Alfredo, >>>>> >>>>> I did not. I generally avoid delopying code in production that has not >>>>> been released as Stable. So does 6.0.1 Stable not support Kernel 3.13? >>>>> >>>>> Thanks! >>>>> Jason >>>>> >>>>>> Date: Fri, 18 Jul 2014 17:35:09 +0200 >>>>>> From: Alfredo Cardigliano <[email protected]> >>>>>> To: [email protected] >>>>>> Subject: Re: [Ntop-misc] PF_RING 6.0.1/Linux Kernel 3.13 Problems >>>>>> Message-ID: <[email protected]> >>>>>> Content-Type: text/plain; charset=us-ascii >>>>>> >>>>>> Hi Jason >>>>>> code from SVN should support 3.13, did you try updating from SVN? >>>>>> >>>>>> Alfredo >>>>>> >>>>>>> On 18 Jul 2014, at 15:21, Jason <[email protected]> wrote: >>>>>>> >>>>>>> Hello all, >>>>>>> >>>>>>> Yesterday I upgraded a number of my systems to the Linux 3.13 kernel >>>>>>> and PF-RING from 5.6.2 to 6.0.1. I have encountered several >>>>>>> significant problems after the upgrades. >>>>>>> >>>>>>> First, one of my systems which was collecting around 900Mbps began >>>>>>> recording only 1Mbps. Rolling back just the PF_RING 5.6.2 kernel >>>>>>> module (compiled against the 3.13 kernel) fixed this problem and >>>>>>> capture levels returned to normal. >>>>>>> >>>>>>> Second, a different system running several capture processes is >>>>>>> recording packets filtered with "port 25" as ethernet packets only. It >>>>>>> appears as though the IP and TCP headers are being stripped, but the >>>>>>> ethernet and tcp payload are being stored. The only way I was able to >>>>>>> get this working again was to roll back to an old 3.2 kernel, the >>>>>>> PF_RING 5.6.2 kernel module AND the the PF_RING libpcap library. This >>>>>>> behavior appeared with every packet capture tool I tried (snort, >>>>>>> tcpdump, bro, etc). >>>>>>> >>>>>>> Is the 3.13 linux kernel officially supported? Is there something else >>>>>>> that might cause these strange errors? >>>>>>> >>>>>>> In all cases I was running transparent mode 0 with the vanilla NIC >>>>>>> drivers. >>>>>>> >>>>>>> Thanks in advance, >>>>>>> Jason >>>>>>> _______________________________________________ >>>>>>> Ntop-misc mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------ >>>>>> >>>>>> Message: 5 >>>>>> Date: Fri, 18 Jul 2014 15:50:29 +0000 >>>>>> From: Mike Patterson <[email protected]> >>>>>> To: "<[email protected]>" >>>>>> <[email protected]> >>>>>> Subject: Re: [Ntop-misc] Snort, DNA DAQ, bpf >>>>>> Message-ID: <[email protected]> >>>>>> Content-Type: text/plain; charset="Windows-1252" >>>>>> >>>>>> Oh! Sorry, I didn't understand what you were asking. Will follow up, >>>>>> yeah. >>>>>> >>>>>> thanks! >>>>>> >>>>>> Mike >>>>>> >>>>>>> On Jul 18, 2014, at 11:39, "Alfredo Cardigliano" <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Hi Mike >>>>>>> as I said, if it is possible please provide us access to your machine >>>>>>> (feel free to contact me directly) >>>>>>> >>>>>>> Alfredo >>>>>>> >>>>>>>> On 16 Jul 2014, at 19:25, Mike Patterson <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Sure, just let me know what I should do and I?ll do it. :) The sooner >>>>>>>> I can fix this, the sooner I can release my older hardware to do other >>>>>>>> things. >>>>>>>> >>>>>>>> Mike >>>>>>>> >>>>>>>>> On Jul 16, 2014, at 12:47 PM, Alfredo Cardigliano >>>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi Mike >>>>>>>>> bpf support in the daq-dna is available since r2679, so it is >>>>>>>>> supposed to work with your version. >>>>>>>>> Do we have a chance to debug this on your machine? >>>>>>>>> >>>>>>>>> Alfredo >>>>>>>>> >>>>>>>>>> On 16 Jul 2014, at 17:51, Mike Patterson >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> On my previous Snort sensor, built on an Endace DAG, I had a BPF for >>>>>>>>>> Snort to exclude certain types of traffic. The BPF worked fine; >>>>>>>>>> Snort 2.9.5.1 and some previous versions. >>>>>>>>>> >>>>>>>>>> When I changed my Snort sensor to an X520 + PF_RING / DNA, that BPF >>>>>>>>>> stopped working. I can tell that Snort is loading it - it says as >>>>>>>>>> much in syslog - but it will still happily alert on traffic matching >>>>>>>>>> those exclusions. >>>>>>>>>> >>>>>>>>>> I?ve tried various iterations (I posted more detail on the >>>>>>>>>> snort-users list if anybody wants to look, or I can re-paste it >>>>>>>>>> here), but succinctly: >>>>>>>>>> >>>>>>>>>> 1) I don?t think it?s Snort itself - it did work on my previous >>>>>>>>>> platform. I tried differing versions of Snort just to be sure - >>>>>>>>>> 2.9.5.1, 2.9.6.0, 2.9.6.1. >>>>>>>>>> >>>>>>>>>> 2) I built tcpdump from the PF_RING distribution, and handed it the >>>>>>>>>> same BPF - it worked just fine, or at least, tcpdump didn?t complain >>>>>>>>>> about the BPF. I did a trivial test: >>>>>>>>>> tcpdump -i dna1@0 -n -w test.lpc not net 10.0.0.1/24 >>>>>>>>>> tcpdump -r test.lpc net 10.0.0.1/24 >>>>>>>>>> and got the expected output (nothing). So I *think* that this means >>>>>>>>>> libpcap (also built from PF_RING distribution) is fine. >>>>>>>>>> >>>>>>>>>> 3) Following the advice and some other troubleshooting on >>>>>>>>>> snort-users, I verified that I?m not seeing this traffic as a result >>>>>>>>>> of GRE tunnelling or VLAN tags. >>>>>>>>>> >>>>>>>>>> Versions: >>>>>>>>>> PF_RING 6.0.1 >>>>>>>>>> pfring-daq-module-dna_r2795 (I?d also tried >>>>>>>>>> pfring-daq-module-dna_r2521) >>>>>>>>>> >>>>>>>>>> The Intel-based machine is not yet in production, so I can fairly >>>>>>>>>> easily try anything people might suggest. >>>>>>>>>> >>>>>>>>>> Other details of my environment: >>>>>>>>>> RHEL 6.5 >>>>>>>>>> Intel X520 NIC: >>>>>>>>>> 06:00.1 Ethernet controller: Intel Corporation Ethernet 10G 2P X520 >>>>>>>>>> Adapter (rev 01) >>>>>>>>>> >>>>>>>>>> /proc/net/pf_ring/info is: >>>>>>>>>> PF_RING Version : 6.0.1 ($Revision: exported$) >>>>>>>>>> Total rings : 0 >>>>>>>>>> >>>>>>>>>> Standard (non DNA) Options >>>>>>>>>> Ring slots : 16384 >>>>>>>>>> Slot version : 15 >>>>>>>>>> Capture TX : No [RX only] >>>>>>>>>> IP Defragment : Yes >>>>>>>>>> Socket Mode : Standard >>>>>>>>>> Transparent mode : No [mode 2] >>>>>>>>>> Total plugins : 0 >>>>>>>>>> Cluster Fragment Queue : 0 >>>>>>>>>> Cluster Fragment Discard : 0 >>>>>>>>>> >>>>>>>>>> The X520 plugs into a tool port on an Arista 7150S. The DAG plugs >>>>>>>>>> into another tool port on the same switch; both tool ports are in >>>>>>>>>> the same aggregation group, so they should be getting identical data. >>>>>>>>>> >>>>>>>>>> I *do* have the option of applying the BPF on the Arista switch >>>>>>>>>> itself, although I?d rather avoid that if I can. >>>>>>>>>> >>>>>>>>>> Thanks in advance for any advice/debugging suggestions/etc. >>>>>>>>>> >>>>>>>>>> Mike >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Ntop-misc mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Ntop-misc mailing list >>>>>>>>> [email protected] >>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop-misc mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop-misc mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>> >>>>>> >>>>>> ------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>> >>>>>> >>>>>> End of Ntop-misc Digest, Vol 121, Issue 17 >>>>>> ****************************************** >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> >>> >>> -- >>> Doug Burks >>> Need Security Onion Training or Commercial Support? >>> http://securityonionsolutions.com >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > -- > Doug Burks > Need Security Onion Training or Commercial Support? > http://securityonionsolutions.com > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
