Excellent! Thank you! On Fri, Dec 19, 2014 at 8:49 PM, Alfredo Cardigliano <[email protected]> wrote: > ZC works in zero-copy (no packet copy), thus capturing the whole packet or > just a snaplen does not affect performance. > > Alfredo > >> On 19 Dec 2014, at 17:57, Pavel Odintsov <[email protected]> wrote: >> >> Thank you for your help, Alfredo! I integrated ZC support via native >> ZC API and everything works nice. >> >> But I can't find any analogue for snaplen in ZC API. I need only >> packet headers for processing. Can I do it with ZC API? >> >> On Sat, Oct 25, 2014 at 5:37 PM, Alfredo Cardigliano >> <[email protected]> wrote: >>> Hi Pavel >>> for 10 Gbit line-rate you definitely need ZC, you can use hw RSS for >>> spreading load across multiple instances of your application or custom >>> software distribution (using for instance zbalance_ipc). >>> >>> For packet parsing you can use pfring_parse_pkt(), according to what you >>> need you should call: >>> pfring_parse_pkt(pkt /* u_char* */, &hdr /* struct pfring_pkthdr* */, 3 /* >>> up to L3 */, 0 /* no timestamp */, 0 /* no hash */); >>> >>> Alfredo >>> >>>> On 23 Oct 2014, at 20:00, Pavel Odintsov <[email protected]> wrote: >>>> >>>> Hello, folks! >>>> >>>> I'm working on OSS solution for DDoS detection >>>> (https://github.com/FastVPSEestiOu/fastnetmon) and passed through hard >>>> way of: pcap, ulog2, pf_ring. >>>> >>>> I'm really amazed PF_RING and I can analyze streams up to 2 million >>>> packets per second on really slow hw (i7 2600 with Intel 82599). >>>> >>>> But my final target - provide monitoring ability on wire rate 10GBps >>>> and 14Mpps. I tried to use plain pf_ring, multichannel pf_ring and >>>> start thinking about ZC.... >>>> >>>> Maybe somebody can recommend best and fastest approach for my task? I >>>> need small amount of packet headers (src/dst ip, src/dst port, >>>> protocol). For extracting data I surely need some sort of packets >>>> parser. >>>> >>>> Fastest solution which I did now is multichannel pf_ring with 8 >>>> threads for collection data. But I can process only up to 2-3 MPPS and >>>> after this I got completely overloaded system: >>>> https://www.dropbox.com/s/m2ywqgwul8ka7ww/htoppng.png?dl=0 >>>> >>>> Is it possible to process more packets on non-zc PF_RING or I should >>>> go to ZC mode? :( >>>> >>>> -- >>>> Sincerely yours, Pavel Odintsov >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> >> >> -- >> Sincerely yours, Pavel Odintsov >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
-- Sincerely yours, Pavel Odintsov _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
