> On 27 Aug 2015, at 13:34, Jan Grashofer <[email protected]> wrote: > > So that is how its supposed to be. Currently I am using Bro v2.4 which relies > on your patched libpcap. Does specifying the queues work as I expect in this > setup or won't the library deal with it correctly?
It should work. > I have already tried specifying the queues directly using ZC (zc:ethX@Y). > That reproducible crashes my system. Did you try using one of our sample apps (i.e. pfcount)? Please let us know how to reproduce it. > I have also seen, that you provided a pf_ring plugin for Bro. The README says > one should use pf_ring as interface-prefix (pf_ring::eth0). So would > something like "pf_ring::zc:eth0@0" work? Does it work together with broctl? Correct. I am not really familiar with broctl, but since Bro is the real bottleneck, the pf_ring plugin does not provide a significant performance boost, thus if you feel more comfortable via libpcap and broctl, keep using it. Alfredo > > Thanks, > Jan > > From: [email protected] > [[email protected]] on behalf of Alfredo Cardigliano > [[email protected]] > Sent: Wednesday, August 26, 2015 15:09 > To: [email protected] > Subject: Re: [Ntop-misc] Using PF_RING ZC with Bro > > >> On 26 Aug 2015, at 14:49, Jan Grashofer <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Alfredo, >> >> thanks for your explanation! Regarding 2. you clarified usage. I was told >> that using zbalance_ipc is mandatory with ZC. So I will try using ZC with >> RSS now. >> >> Regarding 1., I think we confused each other. From what I understand, >> without RSS enabled I can capture from different virtual queues aka rings >> (ethX@<queue id>) and pf_ring will take care of distribution between them. >> And with RSS enabled, pf_ring will just use the RSS queues and don't apply >> any software distribution. So each virtual queue represents a RSS queue. >> Right? In this case, my question is: What does pf_ring do, if I try to >> capture from more virtual queues than RSS queues are available? > > If you specify an RSS queue that does not exists you should not get any > packet. In order to use kernel distribution with standard pf_ring you should > use kernel clustering (see pfcount -c), in that case you just specify the > interface name, attach to the cluster, and get 1/N of the traffic (where N is > the number of application with the same cluster id) > > Alfredo > >> >> Regards, >> Jan > > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
