Hi all,
Since I started this thread, I have been reading several documents
related to PF-Ring and now I can see how abstract was my initial
question and how difficult was an answer :-(
From Luca's Improving Passive Packet Capture: Beyond Device Polling
(Thanks Luca, very good one for beginners like me), docs from Corey
Satten, forums and anonymous texts, now from my basic knowledge I know
that things like PF-Ring, polling, accelerated driver, ring buffers, and
so on exist.
I have finished my initial research with post 10G Monitoring from Luca,
but these slides are too much for me (at least for know :-)).
Analysing my initial problem, huge packets losts (libpcap 400% from ntop
output), after all doc read, I believe that my problem is inherent to
the library pcap, and nothing due to hardware (cpu with normal values,
and network card with no errors from ethtool output), as experts say, so
we will try to recompile the kernel with pf-ring. As my link manages
traffic which doesnt reach high % of the Gigabit throughput available, I
hope once the pf-ring socket and new pcap are in use, my losts will be
reduced drastically.
But before I try pf-ring, I have some questions which sure you can solve:
With regard to accelerated driver, what is it? Is it integrated in
PF-Ring socket or is available with re-compilation and new pcap?
What about polling? Is it independent from pf-ring? Is it advisable to
activate it as well as pf-ring to get best improvements? I have heart
that is something related to a flag in the NIC?
Thanks again,
Jorge
Luca Deri escribió:
Jorge
it's hard to say what's happened. Unless there are not software issues
(e.g. bugged software releases) as I believe, you have so much traffic
that ntop drops more packets than the number it processes. First of
all make sure that you have configured properly for your environment,
then investigate if your setup is optimal for ntop.
Regards Luca
On Apr 2, 2008, at 6:25 PM, Gary Gatten wrote:
I can’t reconcile these numbers. I will mention though if you’re
trying to capture traffic at a high rate (pps) especially off a Gb
interface, you may want to read some of the docs on this; such as
PF_RING.
Gary
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Jorge Cuevas
Sent: Wednesday, April 02, 2008 6:50 AM
To: [email protected]
Subject: [Ntop] Strange values of traffic report stastistics
Hi everybody,
I am trying to gather information regarding my network and the
behaviour of my sensor. I have ossim (www.ossim.net) running on one
of my interfaces and I am increasing the traffic analysed adding new
monitoring sessions (from the catalyst) to my promiscuos port.
I am using ntop for studying the performance and packet losts, but I
get strange values from global statistics:
Dropped (libpcap)
403,8%
339,576,877
Dropped (ntop)
0,0%
0
Total Received (ntop)
84,087,157
Total Packets Processed
84,087,157
Unicast
95,5%
80,289,585
Broadcast
0,8%
660,955
Multicast
Can anybody give me a hand? How can libpcap be dropping 400% of the
traffic?
Thanks in advance
--
Jorge Cuevas González <[EMAIL PROTECTED]>
Director de Proyectos www.nesys-st.com
Tfno: 94 406 0546 Móvil: 617165161
GPG: 3C1C CE59 3258 07C6 BB44 76B2 7861 9F93 9710 0C6F
"This email is intended to be reviewed by only the intended
recipient and may contain information that is privileged and/or
confidential. If you are not the intended recipient, you are hereby
notified that any review, use, dissemination, disclosure or copying
of this email and its attachments, if any, is strictly prohibited.
If you have received this email in error, please immediately notify
the sender by return email and delete this email from your system."
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
--
Jorge Cuevas González <[EMAIL PROTECTED]>
Director de Proyectos www.nesys-st.com
Tfno: 94 406 0546 Móvil: 617165161
GPG: 3C1C CE59 3258 07C6 BB44 76B2 7861 9F93 9710 0C6F
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
