Message: 2 Date: Wed, 30 Mar 2016 23:23:15 +0200 From: Luca Deri <[email protected]> To: [email protected] Subject: Re: [Ntop-misc] pf_ring hardware filter question Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii"
Chris you can set rules via the PF_RING API: did you see http://redirect.state.sbu/?url=https://github.com/ntop/PF_RING/blob/dev/userland/examples/pffilter_test.c ? Regards Luca > On 30 Mar 2016, at 21:12, Clark, Erik J <[email protected]> wrote: > > All; > I am trying to filter out tcp and udp traffic at the kernel level > via pf_ring, but can not find any documentation as to how to actually > craft a rule, or how you would make one persist. The only reference I > can find is to > > /proc/net/pf_ring/dev/${interface}/rules > > Which would not be persistent. If I wanted to filter out all tcp 443 traffic > before handing it off to the application layer, say for Snort or Bro, how do > I do that at the pf_ring level persistently? Thanks much! > > Erik > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] Unfortunately, I haven't written any C in about 18 years. Even then, I was never very good at it. On top of that, I can't even seem to understand what is going on in the file. There is a section where it says it is dropping everything but icmp, but there is nothing saying that outright, except a reference to rule.rule_id =5, which is as clear as mud. So, is the short answer there is no way to use something like ethtool to set pf_ring filters? From: http://ossectools.blogspot.com/2012/10/multi-node-bro-cluster-setup-howto.html I can see that bpf filters can be associated with the devices some how (specifically (ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0) I can not find any documentation on how to set bpf filters, or pf_ring parameters with something like a shell script or a tool like ethtool. Is this just not possible? Erik _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
