Hi Amir could you provide a pcap and the commands (baed on our examples) to test what you are doing?
Thank you Alfredo > On 4 Jun 2017, at 10:45, Amir Kaduri <[email protected]> wrote: > > Hello, > > I have a situation where not all of the received packets are counted > as filtered, and I would like to better understand why. > To better understand it, I've done a controlled experiment, where > after the software hash filtering rule was added on a specific > 5-tuple, I send exactly 5000 packets on the same 5-tuple. All packets > received by the same ring. > When I look at the ring info file, I see that "Sw Filt Hash Match" > increases by 4955 exactly. (Its the same number whenever I repeat the > experiment on the same filter). Which means 45 packets are not > counted. No other statistics parameter can explain the missing 45 > packets, not in the ring info file (e.g. "Sw Filt Hash Miss") and not > by using "ethtool -S" on the interface (although by using ethtool -S I > see that all 5000 packets are definitely received to the NIC). > When looking deeply into the replayed pcap, I see a high correlation > between the number of missing packets (i.e. 45) and the number of > packets that are "TCP Segment of a reassembled PDU" (by wireshark). > My rss rehash set to 1. > > Questions: > 1. Any explanation for packets that are not counted by "Sw Filt Hash > Match" (and not by any other parameter)? > 2. Does the "TCP Segment of a reassembled PDU" could explain it somehow? > 3. Could it be a behavioral change compared to previous pf_ring > versions (e.g. 6.0.3)? > > Thanks, > Amir > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
