-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I did, or at least I think I did. It would be griping at me in the logs if the versions were mismatched, right?
Jim On 03/09/2015 06:53 PM, Alfredo Cardigliano wrote: > Hi Jim did you update, recompile, reinstall both libraries and > daq-zc? > > Alfredo > >> On 08 Mar 2015, at 20:18, Jim Hranicky <[email protected] >> <mailto:[email protected]>> wrote: >> >> Signed PGP part Same thing: >> >> (Event) sensor id: 0 event id: 1 event second: 0 event >> microsecond: 0 sig id: 2009986 gen id: 1 revision: 2 >> classification: 21 priority: 1 ip source: XX.XX.XX.XX >> ip destination: 27.141.202.62 src port: 8247 dest port: 8247 >> protocol: 17 impact_flag: 0 blocked: 0 >> >> >> Mar 8 14:26:45 sensor kernel: [PF_RING] Welcome to PF_RING >> 6.0.3 ($Revision: 9060$) Mar 8 14:26:45 sensor kernel: [PF_RING] >> registered /proc/net/pf_ring/ Mar 8 14:26:45 sensor kernel: >> [PF_RING] Min # ring slots 4096 Mar 8 14:26:45 sensor kernel: >> [PF_RING] Slot version 16 Mar 8 14:26:45 sensor kernel: >> [PF_RING] Capture TX Yes [RX+TX] Mar 8 14:26:45 sensor >> kernel: [PF_RING] IP Defragment No Mar 8 14:26:45 sensor >> kernel: [PF_RING] Initialized correctly Mar 8 14:28:29 sensor >> kernel: [PF_RING_IXGBE] Intel(R) 10 Gigabit PCI Express Network >> Driver - version 3.22.3 Mar 8 14:50:45 sensor kernel: [PF_RING] >> Welcome to PF_RING 6.0.3 ($Revision: 9060$) Mar 8 14:50:45 >> sensor kernel: [PF_RING] registered /proc/net/pf_ring/ >> >> BTW, I usually edit ixgbe_main.c and add this: >> >> ----------------------- Index: ixgbe_main.c >> =================================================================== >> >> - --- ixgbe_main.c (revision 9060) >> +++ ixgbe_main.c (working copy) @@ -80,7 +80,7 @@ >> >> char ixgbe_driver_name[] = "ixgbe"; static const char >> ixgbe_driver_string[] = - "Intel(R) >> 10 Gigabit PCI Express Network Driver"; + >> "[PF_RING_IXGBE] Intel(R) 10 Gigabit PCI Express Network >> Driver"; #define DRV_HW_PERF >> >> #define FPGA ----------------------- >> >> Helps me know I installed the right driver. Would this be >> something you'd be interested in? >> >> Jim >> >> On 03/08/2015 12:31 PM, Alfredo Cardigliano wrote: >>> Hi Jim software timestamping was disabled for performance >>> reason, I patched >> the code (both ZC library and daq-zc) in svn now, >>> please update and let us know. >>> >>> Alfredo >>> >>>> On 06 Mar 2015, at 17:40, Jim Hranicky <[email protected] >> <mailto:[email protected]>> wrote: >>>> >>>> So I'm testing the snort zc daq, and it seems to be working. >>>> Unfortunately, it seems snort is writing out events with a >>>> null timestamp: >>>> >>>> (Event) sensor id: 0 event id: 1 event second: 0 >>>> event >> microsecond: 0 >>>> sig id: 2008583 gen id: 1 revision: 4 >> classification: 33 >>>> priority: 1 ip source: XX.XX.XX.XX ip destination: >> 41.58.217.229 >>>> src port: 38752 dest port: 6882 protocol: 17 impact_flag: >> 0 blocked: 0 >>>> >>>> Going back to pfring_daq I get timestamps again: >>>> >>>> (Event) sensor id: 0 event id: 1 event second: >>>> 1425659634 >> event microsecond: 670130 >>>> sig id: 2008581 gen id: 1 revision: 3 >> classification: 33 >>>> priority: 1 ip source: XX.XX.XX.XX ip destination: >> 5.141.224.27 >>>> src port: 45704 dest port: 48566 protocol: 17 >> impact_flag: 0 blocked: 0 >>>> >>>> Any ideas? >>>> >>>> -- Jim Hranicky Data Security Specialist UF Information >>>> Technology 105 NW 16TH ST Room #104 GAINESVILLE FL >>>> 32603-1826 352-273-1341 Information Security Office >>>> _______________________________________________ Ntop-misc >>>> mailing list [email protected] >>>> <mailto:[email protected]> >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> >>> >>> _______________________________________________ Ntop-misc >>> mailing list [email protected] >>> <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >> >> >> _______________________________________________ Ntop-misc mailing >> list [email protected] >> <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > _______________________________________________ Ntop-misc mailing > list [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iF4EAREIAAYFAlT+ZrsACgkQCGX2wHRYUXTH0AD9H3qicezqnOdpADB4Tw8jeWj0 A6cy1BCmISQtGfcKmCoA/3E0Vw+NhrqhalrZ6/Jxt3kotOuYcorhQo0qVzHiiwpX =wuC5 -----END PGP SIGNATURE----- _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
