Hello, I have a situation where not all of the received packets are counted as filtered, and I would like to better understand why. To better understand it, I've done a controlled experiment, where after the software hash filtering rule was added on a specific 5-tuple, I send exactly 5000 packets on the same 5-tuple. All packets received by the same ring. When I look at the ring info file, I see that "Sw Filt Hash Match" increases by 4955 exactly. (Its the same number whenever I repeat the experiment on the same filter). Which means 45 packets are not counted. No other statistics parameter can explain the missing 45 packets, not in the ring info file (e.g. "Sw Filt Hash Miss") and not by using "ethtool -S" on the interface (although by using ethtool -S I see that all 5000 packets are definitely received to the NIC). When looking deeply into the replayed pcap, I see a high correlation between the number of missing packets (i.e. 45) and the number of packets that are "TCP Segment of a reassembled PDU" (by wireshark). My rss rehash set to 1.
Questions: 1. Any explanation for packets that are not counted by "Sw Filt Hash Match" (and not by any other parameter)? 2. Does the "TCP Segment of a reassembled PDU" could explain it somehow? 3. Could it be a behavioral change compared to previous pf_ring versions (e.g. 6.0.3)? Thanks, Amir _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
