Re: [Ntop-misc] Error: Please install libnuma-dev in order to use PF_RING
stefan.bi...@salzburgresearch.at> > wrote: > > Hi Alfredo, > thanks for the quick response. > > I thought that too, but the thing is that libnuma-dev and libnuma1 are > already installed. > > They show up as installed packages with the newest version. > > Despite all that I still get the same compile error as stated in my previous > post. Even if I run the configure script under PF_RING/userland/lib. > > Thanks in advance. > Best regards, Stefan. > > Am 19.08.2015 um 21:26 schrieb Alfredo Cardigliano: > > Hi Stefan > it seems libnuma is not installed, please make sure you have: > > # dpkg --get-selections| grep numa > libnuma-dev:amd64 install > libnuma1:amd64install > > and run: > > PF_RING/userland/lib # ./configure > > Alfredo > > On 19 Aug 2015, at 19:44, Stefan Binna <stefan.bi...@salzburgresearch.at> > wrote: > > Hi, > > I am currently trying to implement PF_RING on Ubuntu 12.04.5 LTS Server with > Kernel 3.13.0-32-generic. > > I tried following sources: > > - git clone https://github.com/ntop/PF_RING > - PF_RING-6.0.3.tar.gz > > I have installed following packages to fulfill the build requirements, > furthermore the Ubuntu has the newest packages available installed: > > build-essentials, libnuma-dev, libnuma1, dkms, debhelper > > When I try to build the .deb package manually, as described here: > http://packages.ntop.org/ubuntu/12.04/x64/PF_RING/ > > I ALWAYS get the following build errors after like 2 minutes of compiling: > > [...] > checking librdi.h usability... no > checking librdi.h presence... no > checking for librdi.h... no > checking for pthread_setaffinity_np in -lpthread... no > checking for librdi.h... (cached) no > checking for redisCommand in -lhiredis... no > checking for numa_available in -lnuma... no > checking if libnuma is present... no > Please install libnuma-dev in order to use PF_RING > make[2]: Entering directory `/root/PF_RING/userland/lib' > make[2]: *** No targets specified and no makefile found. Stop. > make[2]: Leaving directory `/root/PF_RING/userland/lib' > make[1]: *** [libpfring] Error 2 > make[1]: Leaving directory `/root/PF_RING/userland' > make: *** [pre-build-core] Error 2 > > What can I do to succeed in a successful build? > > Thanks very much in advance. > > Kind regards, Stefan. > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] ntop and protocol identification
Hello, folks! We have really huge network with ~1Tbps of traffic with sFLOW monitoring enabled. And we want to build traffic statistics from sFLOW data. Could we use deep protocol detection for sFLOW? As I know, we have packet headers inside sFLOW packet. Could we use it for deep protocol detection with ntop? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] ntop and protocol identification
Very good news! We could try and will share experience! Thank you for awesome software! On Thursday, July 9, 2015, Luca Deri d...@ntop.org wrote: Pavel yes we can do DPI on sflow but being the traffic sampled, you cannot expect us to be able to do too much in terms of prediction Cheers Luca On 08 Jul 2015, at 05:11, Pavel Odintsov pavel.odint...@gmail.com javascript:; wrote: Hello, folks! We have really huge network with ~1Tbps of traffic with sFLOW monitoring enabled. And we want to build traffic statistics from sFLOW data. Could we use deep protocol detection for sFLOW? As I know, we have packet headers inside sFLOW packet. Could we use it for deep protocol detection with ntop? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it javascript:; http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it javascript:; http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] PF_RING oops kernel inside KVM machine
Hello, folks! Sorry for bothering you but this ticket is really important for me: https://github.com/ntop/PF_RING/issues/13 Because I do all development inside KVM machine and could not use PF_RING now :( -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Could I achieve wire speed for 40GE?
Thank you for this really important information. We will do some tests and share feedback. On Monday, June 29, 2015, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel i40e-based cards available today are too weak to keep up with 56Mpps, this is due to 1. the poor buffering (ring size) available in X710 and 2. the way Intel cards work (packet-by-packet) which does not optimise bus utilisation. You can improve 1. by using multiple RSS queues, but you should run some test yourself to check performance because they can change significantly according to your hardware. Alfredo On 28 Jun 2015, at 12:10, Pavel Odintsov pavel.odint...@gmail.com javascript:; wrote: Hello, folks! I looking for solution which could do 40GE on wire speed (56 Mpps). Could I achieve it with PF_RING ZC + i40e driver? Btw, could you add prices for 40GE solutions to the http://www.nmon.net/shop/cart.php? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it javascript:; http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] SPSC library from ZC
Thanks for answer! I will try to find :) On Mon, Jun 29, 2015 at 7:35 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel SPSC queues in ZC are part of the ZC library only (binary version), however you can find many open source SPSC implementations on the web. Alfredo On 28 Jun 2015, at 19:27, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! Do you have open source version of SPSC queue used in binary version of PR_RING ZC? Or it part of commercial closed source library too? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] SPSC library from ZC
Hello, folks! Do you have open source version of SPSC queue used in binary version of PR_RING ZC? Or it part of commercial closed source library too? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Could I achieve wire speed for 40GE?
Hello, folks! I looking for solution which could do 40GE on wire speed (56 Mpps). Could I achieve it with PF_RING ZC + i40e driver? Btw, could you add prices for 40GE solutions to the http://www.nmon.net/shop/cart.php? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] PF_RING on top of Virtual Function if ixgbe
Hello, folks! Just poking about: https://github.com/ntop/PF_RING/issues/15 Do you have any plans for this feature? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] PF_RING on top of Virtual Function if ixgbe
Thanks you for lightning fast answer! :) On Fri, Jun 19, 2015 at 10:34 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel replied on github (issue #15) Alfredo On 19 Jun 2015, at 09:25, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! Just poking about: https://github.com/ntop/PF_RING/issues/15 Do you have any plans for this feature? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Pfring zc without interface detach
Hello! I have found new approach for this task. This approach could be implemented with bundled feature of 82599 hardware. Intel 82599 NIC has support of traffic mirroring. I.e. we could create two virtual NIC with one physical. Attach one virtual NIC to Linux and another virtual NIC to PF_RING ZC. Finally, we could provide wire speed monitoring of traffic and Linux stack will work. Unfortunately, ixgbe driver lacks of support for this feature, thus I have created issue for it: https://sourceforge.net/p/e1000/bugs/480/ I will be very glad if you could add this feature to PF_RING's ixgbe. On Sun, May 31, 2015 at 1:22 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Something like zbounce -i zc:ethX -o stack:ethX -b should do the job. Alfredo On 31 May 2015, at 12:03, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! Thank you for fast answer! Do you have any examples of simple two direction forwarder between ZC and Linux Network Stack? On Sat, May 30, 2015 at 5:27 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: On 30 May 2015, at 15:55, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I need ability to monitor traffic at wire speed on server with only one physical interface. I need some way to monitor traffic without detaching interface from the stack. I.e. Linux network stack should work too. There is any way to implement this approach without custom traffic copying and injecting it to the linux stack? You have two options: standard mode or ZC mode. If you want to capture line-rate traffic you need to open the device in ZC mode and send (a subset of) them to the stack, this is the only way. Could I achieve wire speed for traffic injection to the Linux network stack? The stack is the bottleneck here. Alfredo -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] I suggest addition to load_driver.sh for ixgbe
Hello! Looks like problem still occur. My system is Debian Jessie and I already have hugemempages: cat /proc/mounts |grep huge hugetlbfs /dev/hugepages hugetlbfs rw,relatime 0 0 But dev branch can't allocate enough amount of huge pages: ./load_driver.sh rmmod: ERROR: Module pf_ring is not currently loaded irqbalance: no process found Configuring eth6 no rx vectors found on eth6 no tx vectors found on eth6 eth6 mask=1 for /proc/irq/40/smp_affinity Configuring eth5 no rx vectors found on eth5 no tx vectors found on eth5 eth5 mask=1 for /proc/irq/42/smp_affinity Warning: 0 hugepages available, 1024 requested When I unmounted standard path of hugepages everything finished OK: umount /dev/hugepages ./load_driver.sh irqbalance: no process found Configuring eth6 no rx vectors found on eth6 no tx vectors found on eth6 eth6 mask=1 for /proc/irq/40/smp_affinity Configuring eth5 no rx vectors found on eth5 no tx vectors found on eth5 eth5 mask=1 for /proc/irq/42/smp_affinity mkdir: cannot create directory ‘/mnt/huge’: File exists Git dev branch. On Sun, Dec 14, 2014 at 2:46 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Thank you! On Sat, Dec 13, 2014 at 6:33 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel fixed, thank you Alfredo On 13 Dec 2014, at 13:31, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! Please add this umount command before mount -t hugetlbfs: umount /mnt/huge Because if we call it multiple times we got unexpected results: nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 And this issue originate troubles with ZC buffers: ./zcount -i zc:eth4 -c 1 # # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. # # We're now working in demo mode with packet capture and # transmission limited to 5 minutes # *** error mmap'ing hugepage /mnt/huge/pfring_zc_1: Cannot allocate memory *** *** error mmap'ing 64 hugepages of 2048 KB *** pfring_zc_create_cluster error [No buffer space available] Please check that pf_ring.ko is loaded and hugetlb fs is mounted Thank you! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Pfring zc without interface detach
Hello! Thank you for fast answer! Do you have any examples of simple two direction forwarder between ZC and Linux Network Stack? On Sat, May 30, 2015 at 5:27 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: On 30 May 2015, at 15:55, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I need ability to monitor traffic at wire speed on server with only one physical interface. I need some way to monitor traffic without detaching interface from the stack. I.e. Linux network stack should work too. There is any way to implement this approach without custom traffic copying and injecting it to the linux stack? You have two options: standard mode or ZC mode. If you want to capture line-rate traffic you need to open the device in ZC mode and send (a subset of) them to the stack, this is the only way. Could I achieve wire speed for traffic injection to the Linux network stack? The stack is the bottleneck here. Alfredo -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Pfring zc without interface detach
Hello! I need ability to monitor traffic at wire speed on server with only one physical interface. I need some way to monitor traffic without detaching interface from the stack. I.e. Linux network stack should work too. There is any way to implement this approach without custom traffic copying and injecting it to the linux stack? Could I achieve wire speed for traffic injection to the Linux network stack? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] NDPI and multithreading
Hello, folks! David, I could suggest you to try memcpy analogues from SIMD, SSE4 instruction set. They are significantly faster than standard memcpy. On Thu, May 7, 2015 at 11:01 AM, Luca Deri d...@ntop.org wrote: David nDPI is reentrant so from this point of view you should be safe. Like Alfredo said ZC might help ypu. In fact sometimes the memcpy is the most expensive step in apps, so avoiding it is desirable Regards luca On 07 May 2015, at 07:20, David Britt d...@britt.com.au wrote: I am looking to build an analysis tool based on nDPI and would like to share the load across multiple CPU cores. I notice that there is some indication of thread safeness in nDPI 1.5 but I am wondering whether anyone has built, or has ideas on building a multi threaded nDPI application. I suppose my main question is how to ensure each packet from libpcap reaches the correct nDPI thread for processing and analysis - I guess I need to have some kind of 5 tuple hashing mechanism to classify each packet into a flow and push to an appropriate queue that each nDPI thread can pick from? Is this something that PF_RING can do, or perhaps some other simple technique? Any help, guidance of examples would be very much appreciated if anyone has gone down this path and is willing to share some ideas. Dave Britt. ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] pfring filtering fails or not clear
- 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596845111] [caplen=128][len=1086][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 2 added successfully... : --- How come, that once rule #0 was added for [10.61.10.9:52311 - 10.70.150.108:60189], I still see such packets in the next lines? Shouldn’t they be filtered by the rule that just as added? (BTW, when I use the command “./pfcount -i eth3 -u 1 -v 1 -r –m” (i.e. –u is 1 rather than 2), the tester uses hash filters, and in this case, I get errors: 18:53:19.052549112 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596847159] [caplen=128][len=1490][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] pfring_add_hash_filtering_rule(1) failed) Any help will be appreciated. Thanks, Amir ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Debian Fedora mount hugetlb by default and PF_RING could use it
Hello! I'm switching to Debian 8 from Debian 7 and found very interesting bug with your load_driver.sh (ixgbe). ./load_driver.sh rmmod: ERROR: Module ixgbe is not currently loaded Warning: 0 hugepages available, 1024 requested irqbalance: no process found Configuring eth6 no rx vectors found on eth6 no tx vectors found on eth6 eth6 mask=1 for /proc/irq/112/smp_affinity Configuring eth7 no rx vectors found on eth7 no tx vectors found on eth7 eth7 mask=1 for /proc/irq/114/smp_affinity Configuring eth4 no rx vectors found on eth4 no tx vectors found on eth4 eth4 mask=1 for /proc/irq/108/smp_affinity Configuring eth5 no rx vectors found on eth5 no tx vectors found on eth5 eth5 mask=1 for /proc/irq/110/smp_affinity As you can see load_driver.sh tried to allocate 1024 huge pages but failed (maybe you should fail in this case?). This issue related with allocated by default in Debian 8 hugetlb buffers: AnonHugePages: 0 kB HugePages_Total: 0 HugePages_Free:0 HugePages_Rsvd:0 HugePages_Surp:0 Hugepagesize: 2048 kB DirectMap4k: 74240 kB DirectMap2M:50255872 kB But there are no allocated pages: grep HugePages_Total /sys/devices/system/node/node0/meminfo I suggest following fix for load_driver.sh: if [ `cat /proc/mounts | grep hugetlbfs | wc -l` -eq 0 ]; then sync echo 3 /proc/sys/vm/drop_caches echo $HUGEPAGES /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages mkdir /mnt/huge mount -t hugetlbfs nodev /mnt/huge else echo $HUGEPAGES /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages fi After this fix everything loaded correctly: ./load_driver.sh rmmod: ERROR: Module ixgbe is not currently loaded rmmod: ERROR: Module pf_ring is not currently loaded Configuring eth6 no rx vectors found on eth6 no tx vectors found on eth6 eth6 mask=1 for /proc/irq/112/smp_affinity Configuring eth7 no rx vectors found on eth7 no tx vectors found on eth7 eth7 mask=1 for /proc/irq/114/smp_affinity Configuring eth4 no rx vectors found on eth4 no tx vectors found on eth4 eth4 mask=1 for /proc/irq/108/smp_affinity Configuring eth5 no rx vectors found on eth5 no tx vectors found on eth5 eth5 mask=1 for /proc/irq/110/smp_affinity # # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.3.150330 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. # # We're now working in demo mode with packet capture and # transmission limited to 5 minutes # libnuma: Warning: node 6 not allowed numa_sched_setaffinity_v2_int() failed; abort : Invalid argument set_mempolicy: Invalid argument # # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.3.150330 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. # # # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.3.150330 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. # ^CLeaving... = Absolute Stats: 0 pkts - 0 bytes = -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Complains about absent svnversion on PF_RING 6.0.3
Hello! I'm installing PF_RING 6.0.3 on machine without svn at all and got following complains: which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) Could you fix this complains? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Complains about absent svnversion on PF_RING 6.0.3
Hello, Luca! cd /usr/src wget .. tar -xf PF_RING-6.0.3.tar.gz cd PF_RING-6.0.3 cd kerbel ./configure --prefix=/tmp/removeme make which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) ** WARNING WARNING WARNING ** * * Compiling PF_RING as root might lead you to compile errors * Please compile PF_RING as unpriviliged user * * make -C /lib/modules/2.6.32-042stab094.7/build SUBDIRS=/usr/src/PF_RING-6.0.3/kernel EXTRA_CFLAGS='-I/usr/src/PF_RING-6.0.3/kernel ' modules make[1]: Entering directory `/usr/src/kernels/2.6.32-042stab094.7' which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) -- CC [M] /usr/src/PF_RING-6.0.3/kernel/pf_ring.o Building modules, stage 2. which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) -- MODPOST 1 modules CC /usr/src/PF_RING-6.0.3/kernel/pf_ring.mod.o LD [M] /usr/src/PF_RING-6.0.3/kernel/pf_ring.ko.unsigned NO SIGN [M] /usr/src/PF_RING-6.0.3/kernel/pf_ring.ko make[1]: Leaving directory `/usr/src/kernels/2.6.32-042stab094.7' [root@evo1000 kernel]# make install which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) -- mkdir -p /lib/modules/2.6.32-042stab094.7/kernel/net/pf_ring cp *.ko /lib/modules/2.6.32-042stab094.7/kernel/net/pf_ring cp linux/pf_ring.h /usr/include/linux /sbin/depmod 2.6.32-042stab094.7 On Mon, Apr 13, 2015 at 1:03 PM, Luca Deri d...@ntop.org wrote: Pavel, how can we reproduce the issue? please provide a full log Regards luca On 04/13/2015 11:53 AM, Pavel Odintsov wrote: Hello! I'm installing PF_RING 6.0.3 on machine without svn at all and got following complains: which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) which: no svnversion in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) Could you fix this complains? ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] NIC offload features integration
Hello! Any news about checksumm offload for ZC? On Thu, Apr 2, 2015 at 4:56 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Thank you so much! I interested in ZC version because it could work on wire speed and offload features are explicit in this case. I will test offload feature asap ;) On Thursday, April 2, 2015, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel pf_ring with standard drivers provides information about checksum offload when enabled, please take a look at pfring_pkthdr.extended_hdr.flags #define PKT_FLAGS_CHECKSUM_OFFLOAD 1 0 /* IP/TCP checksum offload enabled */ #define PKT_FLAGS_CHECKSUM_OK 1 1 /* Valid checksum (with IP/TCP checksum offload enabled) */ We will add support for this also to ZC ASAP. Alfredo On 02 Apr 2015, at 08:28, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I'm working on user space tcp/ip implementation now. I have modern network cards with many types of hardware offload. I interested in tcp and ip checksumm validation/generation. But I could not find any flags in pfring parsed packet header about succsess or fail in checksumm validation. But checksumm offliad is definitely working and I coukd see counter values in network card stats. Nic offload features provide huge performance benefits and will be fine if you provide code and examples fir they. Thank you for your attention! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] pfring filtering fails or not clear
–m” (i.e. –u is 1 rather than 2), the tester uses hash filters, and in this case, I get errors: 18:53:19.052549112 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596847159] [caplen=128][len=1490][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] pfring_add_hash_filtering_rule(1) failed) Any help will be appreciated. Thanks, Amir ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it javascript:_e(%7B%7D,'cvml','Ntop-misc@listgateway.unipi.it'); http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it javascript:_e(%7B%7D,'cvml','Ntop-misc@listgateway.unipi.it'); http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] NIC offload features integration
Hello, folks! I'm working on user space tcp/ip implementation now. I have modern network cards with many types of hardware offload. I interested in tcp and ip checksumm validation/generation. But I could not find any flags in pfring parsed packet header about succsess or fail in checksumm validation. But checksumm offliad is definitely working and I coukd see counter values in network card stats. Nic offload features provide huge performance benefits and will be fine if you provide code and examples fir they. Thank you for your attention! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] NIC offload features integration
Thank you so much! I interested in ZC version because it could work on wire speed and offload features are explicit in this case. I will test offload feature asap ;) On Thursday, April 2, 2015, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel pf_ring with standard drivers provides information about checksum offload when enabled, please take a look at pfring_pkthdr.extended_hdr.flags #define PKT_FLAGS_CHECKSUM_OFFLOAD 1 0 /* IP/TCP checksum offload enabled */ #define PKT_FLAGS_CHECKSUM_OK 1 1 /* Valid checksum (with IP/TCP checksum offload enabled) */ We will add support for this also to ZC ASAP. Alfredo On 02 Apr 2015, at 08:28, Pavel Odintsov pavel.odint...@gmail.com javascript:_e(%7B%7D,'cvml','pavel.odint...@gmail.com'); wrote: Hello, folks! I'm working on user space tcp/ip implementation now. I have modern network cards with many types of hardware offload. I interested in tcp and ip checksumm validation/generation. But I could not find any flags in pfring parsed packet header about succsess or fail in checksumm validation. But checksumm offliad is definitely working and I coukd see counter values in network card stats. Nic offload features provide huge performance benefits and will be fine if you provide code and examples fir they. Thank you for your attention! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it javascript:_e(%7B%7D,'cvml','Ntop-misc@listgateway.unipi.it'); http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Avx v2 support for pfring zc
Hello! I have modern cpu with avx 2 support (e5 2697v3). Do you have any plans for supporting it in zc library? I checked zc libs and descided you have only avx 1 support. -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Avx v2 support for pfring zc
Wow! Awesome! Saw it https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/lib/libs/ :) Will test shortly! On Thu, Apr 2, 2015 at 6:36 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel just added to SVN Alfredo On 02 Apr 2015, at 16:12, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I have modern cpu with avx 2 support (e5 2697v3). Do you have any plans for supporting it in zc library? I checked zc libs and descided you have only avx 1 support. -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] PF_RING userland to OpenWRT
Hello! You could try ./configure --disable-numa when compiling pf_ring library. NUMA support is not mandatory. On Thu, Mar 26, 2015 at 12:46 PM, András Kónya kandras...@gmail.com wrote: Hello! The solution of yours is solved the problem, the lib folder is cross compiled. Thank a lot. :) But now I'm stuck again with libpcap library. I get this error message: OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/mips-openwrt-linux-uclibc/bin/ld: cannot find -lnuma collect2: error: ld returned 1 exit status First I thought the problem is with libnuma - there isn't libnuma for OpenWRT, and this is obviously not depends on PF_RING, so I go for further information to openwrt forums. From there, I get this answer: libnuma is not available in OpenWrt you have to create a package in buildroot or compile it with the SDK And they give me some links where is tutorials for package creating or compiling a module to OpenWRT. But before I start this process (maybe I didn't mention that I'm completely new in compiling, so that process will be long for me :) ) I would like get the approve of yours: this is the only way I can make libnuma package for OpenWRT cross compiler and go through this problem? I read some article about PF_RING compiling to OpenWRT and nobody, nowhere mentioned it you have to make a package or compile a system lib. :\ OS: Ubuntu 12.04 64bit OpenWRT: Barrier Breaker (14.07, r42625) (but maybe I have to make a new one...) SDK: OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro-uClibc-0.9.33.2 (but maybe I have to make a new one...) Thanks a lot, András Kónya Hello! checking PF_RING ZC support... yes Try to remove folder with name libs in userland/lib folder and run ./configure and make again. This action should disable ZC support in PF_RING library. In addition to this you could try PF_RING version from SVN: svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/ It's more reliable and stable. BTW, PF_RING folks, could you add ability to disable zc support for PF_RING as ./configure flag --disable-zc ? ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Could I open only one NIC queue with ZC?
Hello, folks! I need open only one NIC hardware queue with PF_RING ZC. Another 7 queues should be handled by Linux kernel for normal traffic. Is it possible with PF_RING/ZC? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Could I open only one NIC queue with ZC?
Hello, Alfredo! Thank you for answer! My case is very interesting. With hardware NIC capabilities (5-tuple filters) we can direct specific traffic to certain NIC queue with enabled PF_RING traffic processor. All another traffic could be processed with Linux stack. It's zero overhead solution. Direct and not so intelligent solution to this problem look like this. We will process all traffic with PF_RING and flow back non interested for us traffic back to Linux network stack. It's not straightforward to implement, has non zero overhead and bug-aware. With ability to open specific NIC queue we could combine monitoring task and production network service on same server and same NIC. Now I should use two separate servers for this task. Thank you! On Wed, Mar 25, 2015 at 7:36 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel when you open a queue pf_ring now detaches the whole interface from kernel for coherency, I guess you agree that in common use cases this is preferable to avoid time windows where half of the traffic is sent to the kernel. We should probably try to support also your use case somehow, as a special case. Alfredo On 25 Mar 2015, at 17:00, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I need open only one NIC hardware queue with PF_RING ZC. Another 7 queues should be handled by Linux kernel for normal traffic. Is it possible with PF_RING/ZC? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Any user friendly ways to distribute software linked to PF_RING library and kernel module?
Hello, again! I switched to use night build version: http://www.nmon.net/centos/ and it works good. But you have issues with linker. I could link agains libpfring with charm but I can't run tool linked to pfring: ldd /usr/sbin/fastnetmon |grep pfring libpfring.so = not found It's because you do not add this path to ldconfig configuration. It could be fixed with: echo /usr/local/lib /etc/ld.so.conf.d/pfring.conf ldconfig Thank you! :) On Mon, Mar 23, 2015 at 11:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello again! I'm so sorry! I found libraries :) find /|grep pfring|grep '/usr/local' /usr/local/lib/libpfring.so /usr/local/lib/daq/daq_pfring.so /usr/local/lib/libpfring.a /usr/local/pfring /usr/local/pfring/README-DAQ.1st /usr/local/pfring/kernel /usr/local/pfring/kernel/pf_ring.ko /usr/local/pfring/README.FIRST /usr/local/include/pfring.h On Mon, Mar 23, 2015 at 11:06 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I'm an author of open source toolkit which linked with PF_RING library (yes, it also support ZC mode but I could disable it). And I want to prepare RPM/DEB packages for my tool for different distributions. But I can't because there are no PF_RING library in pf_ring packages for CentOS 6/7 and Debian 7. cat /etc/redhat-release CentOS release 6.6 (Final) rpm -qa|grep pfring pfring-dkms-6.0.3-dkms.noarch pfring-6.0.3-8637.x86_64 find /|grep pf_ring|grep -v '/usr/src' /var/lib/dkms/pfring/6.0.3/2.6.32-042stab094.7/x86_64/module/pf_ring.ko /etc/init/pf_ring.conf /etc/rc.d/rc6.d/K60pf_ring /etc/rc.d/rc3.d/S30pf_ring /etc/rc.d/rc5.d/S30pf_ring /etc/rc.d/rc0.d/K60pf_ring /etc/rc.d/rc1.d/K60pf_ring /etc/rc.d/rc2.d/S30pf_ring /etc/rc.d/init.d/pf_ring /etc/rc.d/rc4.d/S30pf_ring /etc/pf_ring /etc/pf_ring/dna /etc/pf_ring/dna/igb /etc/pf_ring/dna/ixgbe /etc/pf_ring/dna/e1000e /etc/pf_ring/zc /etc/pf_ring/zc/igb /etc/pf_ring/zc/ixgbe /etc/pf_ring/zc/e1000e /usr/local/pfring/kernel/pf_ring.ko /usr/local/include/linux/pf_ring.h Could you add PF_RING dynamic library here? Do you have any ideas about user friendly distribution of PF_RING? Today we have huge galaxy of PF_RING enabled tools. But in each case speedup need few days in manual compilation and configuration. -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Fwd: PF_RING userland to OpenWRT
Hello! Could you show ./configure command output for folder userspace/lib? I suppose your issues related with ZC library which support only x86_64 platform. On Tue, Mar 24, 2015 at 1:08 PM, András Kónya kandras...@gmail.com wrote: Hello! I'd like to cross compile PF_RING-6.0.1 to OpenWRT Barrier Breaker (14.07, r42625) what is running in a TP-LINK TL-WL1043ND v2 router with OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro-uClibc-0.9.33.2 from Ubuntu 12.04 64bit OS (this is the first step of my university project). I already compiled and installed the kernel module to the router, and it's work perfectly, but now I am get stuck with the userland module. My plan is cross compile the libraries one by one and install the binaries. The first library I'd like to cross compile alone is the userland/lib. In the makefile.in I added an export part and modified the cross compile part: http://http://pastebin.com/9ngJXJ20 When I configure it and run make, I get this error message: /home/konya/Documents/OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/bin/../lib/gcc/mips-openwrt-linux-uclibc/4.8.3/../../../../mips-openwrt-linux-uclibc/bin/ld: pfring_dna_bouncer.o: Relocations in generic ELF (EM: 62) pfring_dna_bouncer.o: could not read symbols: File in wrong format (The hole output: http://pastebin.com/bFD6yLsC) I searched for information about this message for two day and I think this is about version mismatch, but I can't go through... (I'm completely new in make file writing, I'm in a deep water now so I'm grateful for any help.) Thanks, András Kónya kandras...@gmail.com ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Fwd: PF_RING userland to OpenWRT
Hello! checking PF_RING ZC support... yes Try to remove folder with name libs in userland/lib folder and run ./configure and make again. This action should disable ZC support in PF_RING library. In addition to this you could try PF_RING version from SVN: svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/ It's more reliable and stable. BTW, PF_RING folks, could you add ability to disable zc support for PF_RING as ./configure flag --disable-zc ? On Tue, Mar 24, 2015 at 1:58 PM, András Kónya kandras...@gmail.com wrote: Hello! http://pastebin.com/kE1vb2nS From my last post I tried that: I commented the Zero ToolKit, DNA, PF_RING ZC and Viurtal PF_RING's binaries and run make - and as I see the compile is done: http://pastebin.com/S6rCTRJu But I'm afraid from there is some errors when I install it to the router. :\ András Kónya Hello! Could you show ./configure command output for folder userspace/lib? I suppose your issues related with ZC library which support only x86_64 platform. On Tue, Mar 24, 2015 at 1:08 PM, András Kónya kandras585 at gmail.com wrote: Hello! I'd like to cross compile PF_RING-6.0.1 to OpenWRT Barrier Breaker (14.07, r42625) what is running in a TP-LINK TL-WL1043ND v2 router with OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro-uClibc-0.9.33.2 from Ubuntu 12.04 64bit OS (this is the first step of my university project). I already compiled and installed the kernel module to the router, and it's work perfectly, but now I am get stuck with the userland module. My plan is cross compile the libraries one by one and install the binaries. The first library I'd like to cross compile alone is the userland/lib. In the makefile.in I added an export part and modified the cross compile part: http://http://pastebin.com/9ngJXJ20 When I configure it and run make, I get this error message: /home/konya/Documents/OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/bin/../lib/gcc/mips-openwrt-linux-uclibc/4.8.3/../../../../mips-openwrt-linux-uclibc/bin/ld: pfring_dna_bouncer.o: Relocations in generic ELF (EM: 62) pfring_dna_bouncer.o: could not read symbols: File in wrong format (The hole output: http://pastebin.com/bFD6yLsC) I searched for information about this message for two day and I think this is about version mismatch, but I can't go through... (I'm completely new in make file writing, I'm in a deep water now so I'm grateful for any help.) Thanks, András Kónya kandras585 at gmail.com ___ Ntop-misc mailing list Ntop-misc at listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Any user friendly ways to distribute software linked to PF_RING library and kernel module?
New problems on CentOS 7 has arrived. PF_RING did not work because old style init script is incompatible with systemd. Could you add convenient unit for SystemD? I could provide example for it /etc/systemd/system/pfring.service: [Unit] Description=PF_RING fast packet capture subsystem [Service] Type=oneshot RemainAfterExit=yes ExecStart=modprobe pfring ExecStop=rmmod pfring [Install] WantedBy=multi-user.target On Tue, Mar 24, 2015 at 3:35 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, again! I switched to use night build version: http://www.nmon.net/centos/ and it works good. But you have issues with linker. I could link agains libpfring with charm but I can't run tool linked to pfring: ldd /usr/sbin/fastnetmon |grep pfring libpfring.so = not found It's because you do not add this path to ldconfig configuration. It could be fixed with: echo /usr/local/lib /etc/ld.so.conf.d/pfring.conf ldconfig Thank you! :) On Mon, Mar 23, 2015 at 11:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello again! I'm so sorry! I found libraries :) find /|grep pfring|grep '/usr/local' /usr/local/lib/libpfring.so /usr/local/lib/daq/daq_pfring.so /usr/local/lib/libpfring.a /usr/local/pfring /usr/local/pfring/README-DAQ.1st /usr/local/pfring/kernel /usr/local/pfring/kernel/pf_ring.ko /usr/local/pfring/README.FIRST /usr/local/include/pfring.h On Mon, Mar 23, 2015 at 11:06 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I'm an author of open source toolkit which linked with PF_RING library (yes, it also support ZC mode but I could disable it). And I want to prepare RPM/DEB packages for my tool for different distributions. But I can't because there are no PF_RING library in pf_ring packages for CentOS 6/7 and Debian 7. cat /etc/redhat-release CentOS release 6.6 (Final) rpm -qa|grep pfring pfring-dkms-6.0.3-dkms.noarch pfring-6.0.3-8637.x86_64 find /|grep pf_ring|grep -v '/usr/src' /var/lib/dkms/pfring/6.0.3/2.6.32-042stab094.7/x86_64/module/pf_ring.ko /etc/init/pf_ring.conf /etc/rc.d/rc6.d/K60pf_ring /etc/rc.d/rc3.d/S30pf_ring /etc/rc.d/rc5.d/S30pf_ring /etc/rc.d/rc0.d/K60pf_ring /etc/rc.d/rc1.d/K60pf_ring /etc/rc.d/rc2.d/S30pf_ring /etc/rc.d/init.d/pf_ring /etc/rc.d/rc4.d/S30pf_ring /etc/pf_ring /etc/pf_ring/dna /etc/pf_ring/dna/igb /etc/pf_ring/dna/ixgbe /etc/pf_ring/dna/e1000e /etc/pf_ring/zc /etc/pf_ring/zc/igb /etc/pf_ring/zc/ixgbe /etc/pf_ring/zc/e1000e /usr/local/pfring/kernel/pf_ring.ko /usr/local/include/linux/pf_ring.h Could you add PF_RING dynamic library here? Do you have any ideas about user friendly distribution of PF_RING? Today we have huge galaxy of PF_RING enabled tools. But in each case speedup need few days in manual compilation and configuration. -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Any user friendly ways to distribute software linked to PF_RING library and kernel module?
Hello again! I'm so sorry! I found libraries :) find /|grep pfring|grep '/usr/local' /usr/local/lib/libpfring.so /usr/local/lib/daq/daq_pfring.so /usr/local/lib/libpfring.a /usr/local/pfring /usr/local/pfring/README-DAQ.1st /usr/local/pfring/kernel /usr/local/pfring/kernel/pf_ring.ko /usr/local/pfring/README.FIRST /usr/local/include/pfring.h On Mon, Mar 23, 2015 at 11:06 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I'm an author of open source toolkit which linked with PF_RING library (yes, it also support ZC mode but I could disable it). And I want to prepare RPM/DEB packages for my tool for different distributions. But I can't because there are no PF_RING library in pf_ring packages for CentOS 6/7 and Debian 7. cat /etc/redhat-release CentOS release 6.6 (Final) rpm -qa|grep pfring pfring-dkms-6.0.3-dkms.noarch pfring-6.0.3-8637.x86_64 find /|grep pf_ring|grep -v '/usr/src' /var/lib/dkms/pfring/6.0.3/2.6.32-042stab094.7/x86_64/module/pf_ring.ko /etc/init/pf_ring.conf /etc/rc.d/rc6.d/K60pf_ring /etc/rc.d/rc3.d/S30pf_ring /etc/rc.d/rc5.d/S30pf_ring /etc/rc.d/rc0.d/K60pf_ring /etc/rc.d/rc1.d/K60pf_ring /etc/rc.d/rc2.d/S30pf_ring /etc/rc.d/init.d/pf_ring /etc/rc.d/rc4.d/S30pf_ring /etc/pf_ring /etc/pf_ring/dna /etc/pf_ring/dna/igb /etc/pf_ring/dna/ixgbe /etc/pf_ring/dna/e1000e /etc/pf_ring/zc /etc/pf_ring/zc/igb /etc/pf_ring/zc/ixgbe /etc/pf_ring/zc/e1000e /usr/local/pfring/kernel/pf_ring.ko /usr/local/include/linux/pf_ring.h Could you add PF_RING dynamic library here? Do you have any ideas about user friendly distribution of PF_RING? Today we have huge galaxy of PF_RING enabled tools. But in each case speedup need few days in manual compilation and configuration. -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Any ETA about 6.0.3?
Hello, folks! 6.0.2 version is not enough stable and many customers complains about problems with it :( All problems solved with update from SVN but I can't rely on development tree. Do you have any estimations about release? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] PF_RING interface any conflicts with venet OpenVZ device
Hello, folks! I tried to open any device with pfring_open and got error: Can't create PF_RING descriptor: No such device But if I specify physical device eth0 or even bonding device bond0 all works fine. My interfaces list looks like: https://gist.github.com/pavel-odintsov/f4df760f1972247eebdd But I have virtual network device from OpenVZ: venet0Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet6 addr: fe80::1/128 Scope:Link UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:3 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Looks like problem with it. Could you help me? Thanks! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] KVM performance improvement without changing the virtio modules on the guest
Hello! Wow! Roadmaps for 2015 is really awesome! http://www.ntop.org/announce/ntop-2015-roadmap/ On Wed, Mar 11, 2015 at 8:40 AM, Luca Deri d...@ntop.org wrote: Morgan in the current ZC implementation you do not have to change anything in the guest or patch QEMU, but just load a kernel module (see https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/examples_zc/README.kvm). The us-vhost approach is interesting and we might consider supporting it. But not in a month or two, as we’re actively working at other projects (see our blog) that we will start introducing this spring. Regards Luca the enhancement On 11 Mar 2015, at 06:32, Morgan Yang morgan.yang1...@gmail.com wrote: Hi: Recently the Intel DPDK guys presented about a us-vhost approach, which they added DPDK support to KVM's side of vhost. See presentation here http://openvswitch.org/support/ovscon2014/18/1530-dpdk-accelerating.pptx The nice thing about this is approach is least intrusive to the guest. For black box or bundled virtual appliance deployments, we don't have the ability to change the guest's virtio module, so we don't be able to integrate with PF_RING_ZC and Netmap VALE. I'm curious if PF_RING is planning on something similar. Much Thanks Morgan Yang ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Bad timestamps with pfring_daq_zc
Hello! Nice suggestion for change driver name! Because I sometimes did not remember what driver loaded :( On Sun, Mar 8, 2015 at 10:18 PM, Jim Hranicky j...@ufl.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Same thing: (Event) sensor id: 0event id: 1 event second: 0 event microsecond: 0 sig id: 2009986 gen id: 1 revision: 2 classification: 21 priority: 1 ip source: XX.XX.XX.XX ip destination: 27.141.202.62 src port: 8247 dest port: 8247 protocol: 17impact_flag: 0 blocked: 0 Mar 8 14:26:45 sensor kernel: [PF_RING] Welcome to PF_RING 6.0.3 ($Revision: 9060$) Mar 8 14:26:45 sensor kernel: [PF_RING] registered /proc/net/pf_ring/ Mar 8 14:26:45 sensor kernel: [PF_RING] Min # ring slots 4096 Mar 8 14:26:45 sensor kernel: [PF_RING] Slot version 16 Mar 8 14:26:45 sensor kernel: [PF_RING] Capture TX Yes [RX+TX] Mar 8 14:26:45 sensor kernel: [PF_RING] IP DefragmentNo Mar 8 14:26:45 sensor kernel: [PF_RING] Initialized correctly Mar 8 14:28:29 sensor kernel: [PF_RING_IXGBE] Intel(R) 10 Gigabit PCI Express Network Driver - version 3.22.3 Mar 8 14:50:45 sensor kernel: [PF_RING] Welcome to PF_RING 6.0.3 ($Revision: 9060$) Mar 8 14:50:45 sensor kernel: [PF_RING] registered /proc/net/pf_ring/ BTW, I usually edit ixgbe_main.c and add this: - --- Index: ixgbe_main.c === - --- ixgbe_main.c(revision 9060) +++ ixgbe_main.c(working copy) @@ -80,7 +80,7 @@ char ixgbe_driver_name[] = ixgbe; static const char ixgbe_driver_string[] = - - Intel(R) 10 Gigabit PCI Express Network Driver; + [PF_RING_IXGBE] Intel(R) 10 Gigabit PCI Express Network Driver; #define DRV_HW_PERF #define FPGA - --- Helps me know I installed the right driver. Would this be something you'd be interested in? Jim On 03/08/2015 12:31 PM, Alfredo Cardigliano wrote: Hi Jim software timestamping was disabled for performance reason, I patched the code (both ZC library and daq-zc) in svn now, please update and let us know. Alfredo On 06 Mar 2015, at 17:40, Jim Hranicky j...@ufl.edu wrote: So I'm testing the snort zc daq, and it seems to be working. Unfortunately, it seems snort is writing out events with a null timestamp: (Event) sensor id: 0event id: 1 event second: 0 event microsecond: 0 sig id: 2008583 gen id: 1 revision: 4 classification: 33 priority: 1 ip source: XX.XX.XX.XX ip destination: 41.58.217.229 src port: 38752 dest port: 6882 protocol: 17impact_flag: 0 blocked: 0 Going back to pfring_daq I get timestamps again: (Event) sensor id: 0event id: 1 event second: 1425659634 event microsecond: 670130 sig id: 2008581 gen id: 1 revision: 3 classification: 33 priority: 1 ip source: XX.XX.XX.XX ip destination: 5.141.224.27 src port: 45704 dest port: 48566protocol: 17impact_flag: 0 blocked: 0 Any ideas? -- Jim Hranicky Data Security Specialist UF Information Technology 105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826 352-273-1341 Information Security Office ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -BEGIN PGP SIGNATURE- Version: GnuPG v1 iF4EAREIAAYFAlT8oHUACgkQCGX2wHRYUXSyOAD/RVrAXRhGr60itInjHR/JQM53 3TnpCWq0KzFIfnt4XbUA/2XJrikcUX1OWh62wP6979xfcoPMSzBkrDcTsMQBGWM1 =D65Q -END PGP SIGNATURE- ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Packet injection into Linux network stack with ZC like API
Hello, folks! I'm working on some sort of firewall for Linux (like userspace iptables/pf/pf-netmap). I'm trying build it with PF_RING ZC API. You have nice examples of packet injection here http://www.ntop.org/products/pf_ring/pf_ring-zc-zero-copy/ and you recommend to read pfsend.c code and this article https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/examples/README.stackinjection. But this code implemented with old API and I can't use it in my modern ZC API toolkit with pfring_zc_create_cluster/pfring_zc_recv_pkt/pfring_zc_pkt_buff_data. What recommended way to do linux network stack injection for ZC API? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Packet injection into Linux network stack with ZC like API
Good, thanks Alfredo! On Thu, Feb 26, 2015 at 5:11 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel you can use zsend as example for stack injection, it works in the same way pfsend does, just use the “stack:” prefix opening a device. Alfredo On 26 Feb 2015, at 15:01, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I'm working on some sort of firewall for Linux (like userspace iptables/pf/pf-netmap). I'm trying build it with PF_RING ZC API. You have nice examples of packet injection here http://www.ntop.org/products/pf_ring/pf_ring-zc-zero-copy/ and you recommend to read pfsend.c code and this article https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/examples/README.stackinjection. But this code implemented with old API and I can't use it in my modern ZC API toolkit with pfring_zc_create_cluster/pfring_zc_recv_pkt/pfring_zc_pkt_buff_data. What recommended way to do linux network stack injection for ZC API? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Contribution
Hello, folks! Moving PF_RING to GitHub is a very nice idea! It's very useful for code review and very convenient for sending patches. On Wed, Feb 11, 2015 at 3:57 PM, Budinich Galvez, Luis Alberto budi...@3p.mapfre.com wrote: Thanks Alfredo. I was wondering why don’t you create a clone repository on github. You can do it with a simple script, that will commit changes to your svn and to github. Then we could use those github great tools for pulling our modifications. For sure this will increase the community colaboration. Regards!!! De: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] En nombre de Alfredo Cardigliano Enviado el: miércoles, 11 de febrero de 2015 12:32 Para: ntop-misc@listgateway.unipi.it Asunto: Re: [Ntop-misc] Contribution Hi contributions are highly appreciated, please feel free to send us your patches for review, and they will be integrated in mainstream code. Thank you Alfredo On 11 Feb 2015, at 11:56, Budinich Galvez, Luis Alberto budi...@3p.mapfre.com wrote: Hi guys, is there any info on how to contribute to ntop project? I´m starting using github and have some posible modification to pf_ring files, but don’t know if it’s posible to share my modification (or “improvements”) with ntop project. I’m just trying to use pf_ring on SLES11 but have several problems generating my own rpms. If you want to have a look, https://github.com/memojoelojo. Regards!!! ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Runtime linking to PF_RING library
Hello, folks! I found very interesting code for runtime linking to PF_RING (if we found it on machine): https://github.com/robertdavidgraham/robdns/blob/master/src/rawsock-pfring.c Do you have any plans to add support of this approach in upstream PF_RING library? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] #define max may interfere with C++ tools
Thank you, Alfredo! On Sat, Jan 10, 2015 at 12:55 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel the max() definition has been removed in SVN because it seems to be not needed anymore. Alfredo On 09 Jan 2015, at 23:28, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I found very interesting bug with max definition. I'm using using namespace std in my toolkit and hit very interesting error message when include pf_ring.h. It's related with conflict of names std::max and max from pf_ring.h: #ifndef max #define max(a, b) (a b ? a : b) #endif Maybe you can rename your internal max for compatibility? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] #define max may interfere with C++ tools
Hello, folks! I found very interesting bug with max definition. I'm using using namespace std in my toolkit and hit very interesting error message when include pf_ring.h. It's related with conflict of names std::max and max from pf_ring.h: #ifndef max #define max(a, b) (a b ? a : b) #endif Maybe you can rename your internal max for compatibility? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Ability to check state of ZC license and correctly shutdown tool
Hello, Alfredo! I switched to svn version of PF_RING and integrated pfring_zc_check_license call to my tool https://github.com/FastVPSEestiOu/fastnetmon/commit/3ab7bf50229148ff9cbc6cab4f0336305e85b308. According to comments from pfring_zc.h: @return true if ZC is running with no demo limit this function should return non negative number only for case when it have valid license. But for my tool running in demo mode and I got true for trial license: pfring_zc_check_license return:1 Is it OK and I should interpret non zero as trial or it's bug? On Tue, Dec 16, 2014 at 3:12 AM, Pavel Odintsov pavel.odint...@gmail.com wrote: WOW!!! Thank you soo much! You are the best ever and ever support! :) On Tue, Dec 16, 2014 at 3:05 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel there is a new API call pfring_zc_check_license() to check if trial or full ZC is running, you can terminate the application correctly handling SIGTERM. Alfredo On 14 Dec 2014, at 19:19, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! My tool woking with ZC. And sometimes customers use it with trial ZC license (only for 5 minutes). But I can't check from my tool if license is trial and correctly notify customer about it. Because this information about this license is trial logged only on console and I can't catch it. When trial time 5 minutes is expired my tool hangs without any errors in log file because it works in daemon mode and do not have any stdio/stderr. Even in interactive mode I can catch error Demo time elapsed: please get a valid license but it's impossible for production use. Finally, I suggest two features: 1) API call for checking is this ZC license is valid or trial? 2) Ability to provide callback for finishing my toolkit correctly when trial time is expired. Thank you for a great product! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Ability to check state of ZC license and correctly shutdown tool
Hello! Not, I tried to check license after any device open. I moved pfring_zc_check_license code right after pfring_zc_open_device and everything works fine! Thank you again! :) On Sun, Dec 21, 2014 at 12:31 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pave did you call the check after opening the device? Alfredo On 20 Dec 2014, at 22:29, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Alfredo! I switched to svn version of PF_RING and integrated pfring_zc_check_license call to my tool https://github.com/FastVPSEestiOu/fastnetmon/commit/3ab7bf50229148ff9cbc6cab4f0336305e85b308. According to comments from pfring_zc.h: @return true if ZC is running with no demo limit this function should return non negative number only for case when it have valid license. But for my tool running in demo mode and I got true for trial license: pfring_zc_check_license return:1 Is it OK and I should interpret non zero as trial or it's bug? On Tue, Dec 16, 2014 at 3:12 AM, Pavel Odintsov pavel.odint...@gmail.com wrote: WOW!!! Thank you soo much! You are the best ever and ever support! :) On Tue, Dec 16, 2014 at 3:05 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel there is a new API call pfring_zc_check_license() to check if trial or full ZC is running, you can terminate the application correctly handling SIGTERM. Alfredo On 14 Dec 2014, at 19:19, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! My tool woking with ZC. And sometimes customers use it with trial ZC license (only for 5 minutes). But I can't check from my tool if license is trial and correctly notify customer about it. Because this information about this license is trial logged only on console and I can't catch it. When trial time 5 minutes is expired my tool hangs without any errors in log file because it works in daemon mode and do not have any stdio/stderr. Even in interactive mode I can catch error Demo time elapsed: please get a valid license but it's impossible for production use. Finally, I suggest two features: 1) API call for checking is this ZC license is valid or trial? 2) Ability to provide callback for finishing my toolkit correctly when trial time is expired. Thank you for a great product! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] What difference between round_robin_policy and round_robin_bursts_policy?
Hello, folks! I integrated PF_RING ZC API and everything works perfectly! I can handle about 6Mpps on Xeon e5 2420 now. But I have one question about pfring_zc_run_balancer params. I found documentation about flag recv_policy. But I can't find any difference between round_robin_policy and round_robin_bursts_policy. In all examples you used round_robin_bursts_policy but I can't understand why did you do this :( -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] What difference between round_robin_policy and round_robin_bursts_policy?
Thank you so much for answer! I understand now. On Fri, Dec 19, 2014 at 6:25 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel that is an (minor) optimisation, the capture thread receives packets in trains from the cards instead of one at a time, actually you should not see major improvements using the bursts version in your application. Alfredo On 19 Dec 2014, at 14:04, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I integrated PF_RING ZC API and everything works perfectly! I can handle about 6Mpps on Xeon e5 2420 now. But I have one question about pfring_zc_run_balancer params. I found documentation about flag recv_policy. But I can't find any difference between round_robin_policy and round_robin_bursts_policy. In all examples you used round_robin_bursts_policy but I can't understand why did you do this :( -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Consultations about solution architecture
Thank you for your help, Alfredo! I integrated ZC support via native ZC API and everything works nice. But I can't find any analogue for snaplen in ZC API. I need only packet headers for processing. Can I do it with ZC API? On Sat, Oct 25, 2014 at 5:37 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel for 10 Gbit line-rate you definitely need ZC, you can use hw RSS for spreading load across multiple instances of your application or custom software distribution (using for instance zbalance_ipc). For packet parsing you can use pfring_parse_pkt(), according to what you need you should call: pfring_parse_pkt(pkt /* u_char* */, hdr /* struct pfring_pkthdr* */, 3 /* up to L3 */, 0 /* no timestamp */, 0 /* no hash */); Alfredo On 23 Oct 2014, at 20:00, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I'm working on OSS solution for DDoS detection (https://github.com/FastVPSEestiOu/fastnetmon) and passed through hard way of: pcap, ulog2, pf_ring. I'm really amazed PF_RING and I can analyze streams up to 2 million packets per second on really slow hw (i7 2600 with Intel 82599). But my final target - provide monitoring ability on wire rate 10GBps and 14Mpps. I tried to use plain pf_ring, multichannel pf_ring and start thinking about ZC Maybe somebody can recommend best and fastest approach for my task? I need small amount of packet headers (src/dst ip, src/dst port, protocol). For extracting data I surely need some sort of packets parser. Fastest solution which I did now is multichannel pf_ring with 8 threads for collection data. But I can process only up to 2-3 MPPS and after this I got completely overloaded system: https://www.dropbox.com/s/m2ywqgwul8ka7ww/htoppng.png?dl=0 Is it possible to process more packets on non-zc PF_RING or I should go to ZC mode? :( -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] pf_ring with bond interface and transparent-mode=2
Hello! But why don't you can open both interfaces separately? Bonding is very simple round-robin balancer. And it didn't do any magic things. On Mon, Dec 15, 2014 at 2:18 PM, Piotr piotr.1...@interia.pl wrote: Hello, I'm new in pf_ring world, i try to run wanguard soft with pf_ring 5.6.2 I have bond interfaces and i'd like run with transparent-mode=1 or 2. After some test via pfcount i noticed that transparent-mode=1 or 2 works with dnaX interfaces but no with bonding interfaces. There is no received packets on bond interface. Transparent-mode=0 works with dns and bond interfaces without problem but i don't see differences in performance. Of course, if pfcount doesn't see bond interface in transparent-mode=2, Wanguard also doesn't see receiving packets. It is some limit, feature or i'm doing something wrong ? thanks for help Peter ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] pf_ring with bond interface and transparent-mode=2
You can try to mirror both (or more) bonding ports from router/switch to one interface. And sniff it with PF_RING ZC. Or you can try sFLOW for this links. It's very effective for ddos mitigation too. On Mon, Dec 15, 2014 at 2:42 PM, Piotr piotr.1...@interia.pl wrote: Hi, I can but it cost.. Each interface need one license. greetings, Peter W dniu 2014-12-15 12:37, Pavel Odintsov pisze: Hello! But why don't you can open both interfaces separately? Bonding is very simple round-robin balancer. And it didn't do any magic things. On Mon, Dec 15, 2014 at 2:18 PM, Piotr piotr.1...@interia.pl wrote: Hello, I'm new in pf_ring world, i try to run wanguard soft with pf_ring 5.6.2 I have bond interfaces and i'd like run with transparent-mode=1 or 2. After some test via pfcount i noticed that transparent-mode=1 or 2 works with dnaX interfaces but no with bonding interfaces. There is no received packets on bond interface. Transparent-mode=0 works with dns and bond interfaces without problem but i don't see differences in performance. Of course, if pfcount doesn't see bond interface in transparent-mode=2, Wanguard also doesn't see receiving packets. It is some limit, feature or i'm doing something wrong ? thanks for help Peter ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] I suggest addition to load_driver.sh for ixgbe
Thank you! On Sat, Dec 13, 2014 at 6:33 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel fixed, thank you Alfredo On 13 Dec 2014, at 13:31, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! Please add this umount command before mount -t hugetlbfs: umount /mnt/huge Because if we call it multiple times we got unexpected results: nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 And this issue originate troubles with ZC buffers: ./zcount -i zc:eth4 -c 1 # # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. # # We're now working in demo mode with packet capture and # transmission limited to 5 minutes # *** error mmap'ing hugepage /mnt/huge/pfring_zc_1: Cannot allocate memory *** *** error mmap'ing 64 hugepages of 2048 KB *** pfring_zc_create_cluster error [No buffer space available] Please check that pf_ring.ko is loaded and hugetlb fs is mounted Thank you! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Ability to check state of ZC license and correctly shutdown tool
Hello, folks! My tool woking with ZC. And sometimes customers use it with trial ZC license (only for 5 minutes). But I can't check from my tool if license is trial and correctly notify customer about it. Because this information about this license is trial logged only on console and I can't catch it. When trial time 5 minutes is expired my tool hangs without any errors in log file because it works in daemon mode and do not have any stdio/stderr. Even in interactive mode I can catch error Demo time elapsed: please get a valid license but it's impossible for production use. Finally, I suggest two features: 1) API call for checking is this ZC license is valid or trial? 2) Ability to provide callback for finishing my toolkit correctly when trial time is expired. Thank you for a great product! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] I suggest addition to load_driver.sh for ixgbe
Hello! Please add this umount command before mount -t hugetlbfs: umount /mnt/huge Because if we call it multiple times we got unexpected results: nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 nodev /mnt/huge hugetlbfs rw,relatime 0 0 And this issue originate troubles with ZC buffers: ./zcount -i zc:eth4 -c 1 # # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. # # We're now working in demo mode with packet capture and # transmission limited to 5 minutes # *** error mmap'ing hugepage /mnt/huge/pfring_zc_1: Cannot allocate memory *** *** error mmap'ing 64 hugepages of 2048 KB *** pfring_zc_create_cluster error [No buffer space available] Please check that pf_ring.ko is loaded and hugetlb fs is mounted Thank you! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] PF_RING ZC overload my CPU
Hello! I'm using PF_RING 6.0.2 with Debian 7 Wheezy 3.2.0-4-amd64. I installed ixgbe driver with ZC support and loaded it with load_driver.sh. I don't need any processing and linux stack thus I set: transparent_mode=2. After this I run udp flood from 6 hping instances from another server: hping3 -I eth1 --udp --flood 10.10.10.200 After this I run top and got this: %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 90.3 id, 0.0 wa, 0.0 hi, 9.7 si, 0.0 st 3 root 20 0 000 S 78.5 0.0 5:40.02 ksoftirqd/0 htop looks like this: 1 [93.9%] Tasks: 24, 3 thr, 49 kthr; 1 running 2 [ 0.0%] Load average: 0.05 0.20 0.22 3 [ 0.0%] Uptime: 18 days, 22:04:44 4 [ 0.0%] Mem[||| 2661/32207MB] Swp[ 0/8190MB] I even tried to enable quick_mode=1 but ksoftirqd consuming almost whole CPU core. Thank you for your attention! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] PF_RING ZC overload my CPU
Total number of generated packets per second flood was about 1million packets per second, CPU E5-2407 0 @ 2.20GHz. On Fri, Dec 12, 2014 at 6:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using PF_RING 6.0.2 with Debian 7 Wheezy 3.2.0-4-amd64. I installed ixgbe driver with ZC support and loaded it with load_driver.sh. I don't need any processing and linux stack thus I set: transparent_mode=2. After this I run udp flood from 6 hping instances from another server: hping3 -I eth1 --udp --flood 10.10.10.200 After this I run top and got this: %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 90.3 id, 0.0 wa, 0.0 hi, 9.7 si, 0.0 st 3 root 20 0 000 S 78.5 0.0 5:40.02 ksoftirqd/0 htop looks like this: 1 [93.9%] Tasks: 24, 3 thr, 49 kthr; 1 running 2 [ 0.0%] Load average: 0.05 0.20 0.22 3 [ 0.0%] Uptime: 18 days, 22:04:44 4 [ 0.0%] Mem[||| 2661/32207MB] Swp[ 0/8190MB] I even tried to enable quick_mode=1 but ksoftirqd consuming almost whole CPU core. Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] PF_RING ZC overload my CPU
Oh, very strange! In transparent_mode=2 quick_mode=1 I still can see packets at interface with standard pcap tcpdump: tcpdump -i eth4 -c 10 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes 19:15:19.916730 IP 10.10.10.100.49645 10.10.10.200.0: UDP, length 0 19:15:19.916733 IP 10.10.10.100.41742 10.10.10.200.0: UDP, length 0 19:15:19.916734 IP 10.10.10.100.30047 10.10.10.200.0: UDP, length 0 19:15:19.916735 IP 10.10.10.100.41743 10.10.10.200.0: UDP, length 0 19:15:19.916736 IP 10.10.10.100.38649 10.10.10.200.0: UDP, length 0 19:15:19.916737 IP 10.10.10.100.30048 10.10.10.200.0: UDP, length 0 19:15:19.916739 IP 10.10.10.100.49646 10.10.10.200.0: UDP, length 0 19:15:19.916740 IP 10.10.10.100.52632 10.10.10.200.0: UDP, length 0 19:15:19.916741 IP 10.10.10.100.41744 10.10.10.200.0: UDP, length 0 19:15:19.916742 IP 10.10.10.100.30049 10.10.10.200.0: UDP, length 0 10 packets captured 2980 packets received by filter 2839 packets dropped by kernel On Fri, Dec 12, 2014 at 7:11 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Luca! I'm loading ixgbe patched ixgbe driver, loaded pf_ring, start hping flood from another machine and got 90% of kernel load from ksoftirqd. I did not started any toolkit yet :( But ZC looks like working because it work many times faster then vanilla PF_RING and process 2 mpps of packets! And it complains about license: # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. On Fri, Dec 12, 2014 at 7:02 PM, Luca Deri d...@ntop.org wrote: Pavel if you have ksoftirq up, I believe you are not using ZC. Please explain what you are doing? Luca On 12 Dec 2014, at 16:24, Pavel Odintsov pavel.odint...@gmail.com wrote: Total number of generated packets per second flood was about 1million packets per second, CPU E5-2407 0 @ 2.20GHz. On Fri, Dec 12, 2014 at 6:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using PF_RING 6.0.2 with Debian 7 Wheezy 3.2.0-4-amd64. I installed ixgbe driver with ZC support and loaded it with load_driver.sh. I don't need any processing and linux stack thus I set: transparent_mode=2. After this I run udp flood from 6 hping instances from another server: hping3 -I eth1 --udp --flood 10.10.10.200 After this I run top and got this: %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 90.3 id, 0.0 wa, 0.0 hi, 9.7 si, 0.0 st 3 root 20 0 000 S 78.5 0.0 5:40.02 ksoftirqd/0 htop looks like this: 1 [93.9%] Tasks: 24, 3 thr, 49 kthr; 1 running 2 [ 0.0%] Load average: 0.05 0.20 0.22 3 [ 0.0%] Uptime: 18 days, 22:04:44 4 [ 0.0%] Mem[||| 2661/32207MB] Swp[ 0/8190MB] I even tried to enable quick_mode=1 but ksoftirqd consuming almost whole CPU core. Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] PF_RING ZC overload my CPU
Maybe it will be relevant and I have 2 NIC's with 2 ports each in this server: 0a:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0a:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) On Fri, Dec 12, 2014 at 7:16 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Oh, very strange! In transparent_mode=2 quick_mode=1 I still can see packets at interface with standard pcap tcpdump: tcpdump -i eth4 -c 10 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes 19:15:19.916730 IP 10.10.10.100.49645 10.10.10.200.0: UDP, length 0 19:15:19.916733 IP 10.10.10.100.41742 10.10.10.200.0: UDP, length 0 19:15:19.916734 IP 10.10.10.100.30047 10.10.10.200.0: UDP, length 0 19:15:19.916735 IP 10.10.10.100.41743 10.10.10.200.0: UDP, length 0 19:15:19.916736 IP 10.10.10.100.38649 10.10.10.200.0: UDP, length 0 19:15:19.916737 IP 10.10.10.100.30048 10.10.10.200.0: UDP, length 0 19:15:19.916739 IP 10.10.10.100.49646 10.10.10.200.0: UDP, length 0 19:15:19.916740 IP 10.10.10.100.52632 10.10.10.200.0: UDP, length 0 19:15:19.916741 IP 10.10.10.100.41744 10.10.10.200.0: UDP, length 0 19:15:19.916742 IP 10.10.10.100.30049 10.10.10.200.0: UDP, length 0 10 packets captured 2980 packets received by filter 2839 packets dropped by kernel On Fri, Dec 12, 2014 at 7:11 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Luca! I'm loading ixgbe patched ixgbe driver, loaded pf_ring, start hping flood from another machine and got 90% of kernel load from ksoftirqd. I did not started any toolkit yet :( But ZC looks like working because it work many times faster then vanilla PF_RING and process 2 mpps of packets! And it complains about license: # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. On Fri, Dec 12, 2014 at 7:02 PM, Luca Deri d...@ntop.org wrote: Pavel if you have ksoftirq up, I believe you are not using ZC. Please explain what you are doing? Luca On 12 Dec 2014, at 16:24, Pavel Odintsov pavel.odint...@gmail.com wrote: Total number of generated packets per second flood was about 1million packets per second, CPU E5-2407 0 @ 2.20GHz. On Fri, Dec 12, 2014 at 6:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using PF_RING 6.0.2 with Debian 7 Wheezy 3.2.0-4-amd64. I installed ixgbe driver with ZC support and loaded it with load_driver.sh. I don't need any processing and linux stack thus I set: transparent_mode=2. After this I run udp flood from 6 hping instances from another server: hping3 -I eth1 --udp --flood 10.10.10.200 After this I run top and got this: %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 90.3 id, 0.0 wa, 0.0 hi, 9.7 si, 0.0 st 3 root 20 0 000 S 78.5 0.0 5:40.02 ksoftirqd/0 htop looks like this: 1 [93.9%] Tasks: 24, 3 thr, 49 kthr; 1 running 2 [ 0.0%] Load average: 0.05 0.20 0.22 3 [ 0.0%] Uptime: 18 days, 22:04:44 4 [ 0.0%] Mem[||| 2661/32207MB] Swp[ 0/8190MB] I even tried to enable quick_mode=1 but ksoftirqd consuming almost whole CPU core. Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] PF_RING ZC overload my CPU
Yep, I opened zc:ethX and everything works fine. But ksoftirqd still overload my system because packets flow into Linux Network Stack too :( On Fri, Dec 12, 2014 at 7:29 PM, Luca Deri d...@ntop.org wrote: ok but for using zc you need to open “zc:eth4” whereas “eth4” uses sthe standard PF_RING Luca On 12 Dec 2014, at 17:23, Pavel Odintsov pavel.odint...@gmail.com wrote: Maybe it will be relevant and I have 2 NIC's with 2 ports each in this server: 0a:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0a:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) On Fri, Dec 12, 2014 at 7:16 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Oh, very strange! In transparent_mode=2 quick_mode=1 I still can see packets at interface with standard pcap tcpdump: tcpdump -i eth4 -c 10 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes 19:15:19.916730 IP 10.10.10.100.49645 10.10.10.200.0: UDP, length 0 19:15:19.916733 IP 10.10.10.100.41742 10.10.10.200.0: UDP, length 0 19:15:19.916734 IP 10.10.10.100.30047 10.10.10.200.0: UDP, length 0 19:15:19.916735 IP 10.10.10.100.41743 10.10.10.200.0: UDP, length 0 19:15:19.916736 IP 10.10.10.100.38649 10.10.10.200.0: UDP, length 0 19:15:19.916737 IP 10.10.10.100.30048 10.10.10.200.0: UDP, length 0 19:15:19.916739 IP 10.10.10.100.49646 10.10.10.200.0: UDP, length 0 19:15:19.916740 IP 10.10.10.100.52632 10.10.10.200.0: UDP, length 0 19:15:19.916741 IP 10.10.10.100.41744 10.10.10.200.0: UDP, length 0 19:15:19.916742 IP 10.10.10.100.30049 10.10.10.200.0: UDP, length 0 10 packets captured 2980 packets received by filter 2839 packets dropped by kernel On Fri, Dec 12, 2014 at 7:11 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Luca! I'm loading ixgbe patched ixgbe driver, loaded pf_ring, start hping flood from another machine and got 90% of kernel load from ksoftirqd. I did not started any toolkit yet :( But ZC looks like working because it work many times faster then vanilla PF_RING and process 2 mpps of packets! And it complains about license: # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. On Fri, Dec 12, 2014 at 7:02 PM, Luca Deri d...@ntop.org wrote: Pavel if you have ksoftirq up, I believe you are not using ZC. Please explain what you are doing? Luca On 12 Dec 2014, at 16:24, Pavel Odintsov pavel.odint...@gmail.com wrote: Total number of generated packets per second flood was about 1million packets per second, CPU E5-2407 0 @ 2.20GHz. On Fri, Dec 12, 2014 at 6:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using PF_RING 6.0.2 with Debian 7 Wheezy 3.2.0-4-amd64. I installed ixgbe driver with ZC support and loaded it with load_driver.sh. I don't need any processing and linux stack thus I set: transparent_mode=2. After this I run udp flood from 6 hping instances from another server: hping3 -I eth1 --udp --flood 10.10.10.200 After this I run top and got this: %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 90.3 id, 0.0 wa, 0.0 hi, 9.7 si, 0.0 st 3 root 20 0 000 S 78.5 0.0 5:40.02 ksoftirqd/0 htop looks like this: 1 [93.9%] Tasks: 24, 3 thr, 49 kthr; 1 running 2 [ 0.0%] Load average: 0.05 0.20 0.22 3 [ 0.0%] Uptime: 18 days, 22:04:44 4 [ 0.0%] Mem[||| 2661/32207MB] Swp[ 0/8190MB] I even tried to enable quick_mode=1 but ksoftirqd consuming almost whole CPU core. Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc
Re: [Ntop-misc] PF_RING ZC overload my CPU
Hello! But how I can disable passing packets to system? I need this packets only at PF_RING level :) On Fri, Dec 12, 2014 at 8:03 PM, Luca Deri d...@ntop.org wrote: Good to know ZC works as expected Luca On 12 Dec 2014, at 17:33, Pavel Odintsov pavel.odint...@gmail.com wrote: Yep, I opened zc:ethX and everything works fine. But ksoftirqd still overload my system because packets flow into Linux Network Stack too :( On Fri, Dec 12, 2014 at 7:29 PM, Luca Deri d...@ntop.org wrote: ok but for using zc you need to open “zc:eth4” whereas “eth4” uses sthe standard PF_RING Luca On 12 Dec 2014, at 17:23, Pavel Odintsov pavel.odint...@gmail.com wrote: Maybe it will be relevant and I have 2 NIC's with 2 ports each in this server: 0a:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0a:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) On Fri, Dec 12, 2014 at 7:16 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Oh, very strange! In transparent_mode=2 quick_mode=1 I still can see packets at interface with standard pcap tcpdump: tcpdump -i eth4 -c 10 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes 19:15:19.916730 IP 10.10.10.100.49645 10.10.10.200.0: UDP, length 0 19:15:19.916733 IP 10.10.10.100.41742 10.10.10.200.0: UDP, length 0 19:15:19.916734 IP 10.10.10.100.30047 10.10.10.200.0: UDP, length 0 19:15:19.916735 IP 10.10.10.100.41743 10.10.10.200.0: UDP, length 0 19:15:19.916736 IP 10.10.10.100.38649 10.10.10.200.0: UDP, length 0 19:15:19.916737 IP 10.10.10.100.30048 10.10.10.200.0: UDP, length 0 19:15:19.916739 IP 10.10.10.100.49646 10.10.10.200.0: UDP, length 0 19:15:19.916740 IP 10.10.10.100.52632 10.10.10.200.0: UDP, length 0 19:15:19.916741 IP 10.10.10.100.41744 10.10.10.200.0: UDP, length 0 19:15:19.916742 IP 10.10.10.100.30049 10.10.10.200.0: UDP, length 0 10 packets captured 2980 packets received by filter 2839 packets dropped by kernel On Fri, Dec 12, 2014 at 7:11 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Luca! I'm loading ixgbe patched ixgbe driver, loaded pf_ring, start hping flood from another machine and got 90% of kernel load from ksoftirqd. I did not started any toolkit yet :( But ZC looks like working because it work many times faster then vanilla PF_RING and process 2 mpps of packets! And it complains about license: # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. On Fri, Dec 12, 2014 at 7:02 PM, Luca Deri d...@ntop.org wrote: Pavel if you have ksoftirq up, I believe you are not using ZC. Please explain what you are doing? Luca On 12 Dec 2014, at 16:24, Pavel Odintsov pavel.odint...@gmail.com wrote: Total number of generated packets per second flood was about 1million packets per second, CPU E5-2407 0 @ 2.20GHz. On Fri, Dec 12, 2014 at 6:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using PF_RING 6.0.2 with Debian 7 Wheezy 3.2.0-4-amd64. I installed ixgbe driver with ZC support and loaded it with load_driver.sh. I don't need any processing and linux stack thus I set: transparent_mode=2. After this I run udp flood from 6 hping instances from another server: hping3 -I eth1 --udp --flood 10.10.10.200 After this I run top and got this: %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 90.3 id, 0.0 wa, 0.0 hi, 9.7 si, 0.0 st 3 root 20 0 000 S 78.5 0.0 5:40.02 ksoftirqd/0 htop looks like this: 1 [93.9%] Tasks: 24, 3 thr, 49 kthr; 1 running 2 [ 0.0%] Load average: 0.05 0.20 0.22 3 [ 0.0%] Uptime: 18 days, 22:04:44 4 [ 0.0%] Mem[||| 2661/32207MB] Swp[ 0/8190MB] I even tried to enable quick_mode=1 but ksoftirqd consuming almost whole CPU core. Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours
Re: [Ntop-misc] PF_RING ZC overload my CPU
Hmmm I understand. Thank you! But can I disconnect interface from system completely with ixgbe/pf_ring flags? I do some testing and my tool running not all time. In time while tool switched off I got bunch of packets and my system overloaded :( On Fri, Dec 12, 2014 at 8:46 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel when you open an interface in ZC mode (zc:ethX) it gets disconnected from the linux stack Alfredo On 12 Dec 2014, at 18:42, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! But how I can disable passing packets to system? I need this packets only at PF_RING level :) On Fri, Dec 12, 2014 at 8:03 PM, Luca Deri d...@ntop.org wrote: Good to know ZC works as expected Luca On 12 Dec 2014, at 17:33, Pavel Odintsov pavel.odint...@gmail.com wrote: Yep, I opened zc:ethX and everything works fine. But ksoftirqd still overload my system because packets flow into Linux Network Stack too :( On Fri, Dec 12, 2014 at 7:29 PM, Luca Deri d...@ntop.org wrote: ok but for using zc you need to open “zc:eth4” whereas “eth4” uses sthe standard PF_RING Luca On 12 Dec 2014, at 17:23, Pavel Odintsov pavel.odint...@gmail.com wrote: Maybe it will be relevant and I have 2 NIC's with 2 ports each in this server: 0a:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0a:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 0d:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) On Fri, Dec 12, 2014 at 7:16 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Oh, very strange! In transparent_mode=2 quick_mode=1 I still can see packets at interface with standard pcap tcpdump: tcpdump -i eth4 -c 10 tcpdump: WARNING: eth4: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes 19:15:19.916730 IP 10.10.10.100.49645 10.10.10.200.0: UDP, length 0 19:15:19.916733 IP 10.10.10.100.41742 10.10.10.200.0: UDP, length 0 19:15:19.916734 IP 10.10.10.100.30047 10.10.10.200.0: UDP, length 0 19:15:19.916735 IP 10.10.10.100.41743 10.10.10.200.0: UDP, length 0 19:15:19.916736 IP 10.10.10.100.38649 10.10.10.200.0: UDP, length 0 19:15:19.916737 IP 10.10.10.100.30048 10.10.10.200.0: UDP, length 0 19:15:19.916739 IP 10.10.10.100.49646 10.10.10.200.0: UDP, length 0 19:15:19.916740 IP 10.10.10.100.52632 10.10.10.200.0: UDP, length 0 19:15:19.916741 IP 10.10.10.100.41744 10.10.10.200.0: UDP, length 0 19:15:19.916742 IP 10.10.10.100.30049 10.10.10.200.0: UDP, length 0 10 packets captured 2980 packets received by filter 2839 packets dropped by kernel On Fri, Dec 12, 2014 at 7:11 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Luca! I'm loading ixgbe patched ixgbe driver, loaded pf_ring, start hping flood from another machine and got 90% of kernel load from ksoftirqd. I did not started any toolkit yet :( But ZC looks like working because it work many times faster then vanilla PF_RING and process 2 mpps of packets! And it complains about license: # ERROR: You do not seem to have a valid PF_RING ZC license 6.0.2.140923 for eth4 [Intel 10 Gbit ixgbe 82599-based] # ERROR: Please get one at http://shop.ntop.org/. On Fri, Dec 12, 2014 at 7:02 PM, Luca Deri d...@ntop.org wrote: Pavel if you have ksoftirq up, I believe you are not using ZC. Please explain what you are doing? Luca On 12 Dec 2014, at 16:24, Pavel Odintsov pavel.odint...@gmail.com wrote: Total number of generated packets per second flood was about 1million packets per second, CPU E5-2407 0 @ 2.20GHz. On Fri, Dec 12, 2014 at 6:19 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using PF_RING 6.0.2 with Debian 7 Wheezy 3.2.0-4-amd64. I installed ixgbe driver with ZC support and loaded it with load_driver.sh. I don't need any processing and linux stack thus I set: transparent_mode=2. After this I run udp flood from 6 hping instances from another server: hping3 -I eth1 --udp --flood 10.10.10.200 After this I run top and got this: %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 90.3 id, 0.0 wa, 0.0 hi, 9.7 si, 0.0 st 3 root 20 0 000 S 78.5 0.0 5:40.02 ksoftirqd/0 htop looks like this: 1 [93.9%] Tasks: 24, 3 thr, 49 kthr; 1 running 2 [ 0.0%] Load average: 0.05 0.20 0.22 3 [ 0.0%] Uptime: 18 days, 22:04:44 4 [ 0.0%] Mem[||| 2661/32207MB] Swp[ 0/8190MB] I even tried to enable quick_mode=1 but ksoftirqd
Re: [Ntop-misc] Statistics on performance of ZC?
Same question from me! On Fri, Dec 12, 2014 at 10:44 PM, Jesse Bowling jessebowl...@gmail.com wrote: In the vanilla PF_RING world, one could look under /proc/net/pf_ring and find files for each process using PF_RING, and these files contained information on packets seen, dropped, processed, as well as memory information. I’d like to know if there are similar things when using the ZC drivers. I did find that when using the zbalance_ipc example program to bind two interfaces together and then deliver that information to a single process there was a file under /proc/net/pf_ring/stats for the process, but it did not see to contain useful information in terms of performance. What is the recommended way to obtain statistics on ZC performance (or really, app performance using ZC)? I notice zbalance_ipc does print statistics to the screen while running; can these be disabled? Would you expect zbalance_ipc to be used in a similar fashion as pfdnaclustermaster was for DNA? Cheers, Jesse ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] How I can enable PF_RING packets parser in ZC mode?
I read diff between 6.0.3 and current SVN and do not found any changes in parser :( Can you help me? On Wed, Dec 10, 2014 at 6:37 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I tried to do manual parsing and it failed with very strange results. I tried do manual parser with vanilla PF_RING and it work perfectly. But when I move to zc:eth4 everything goes weird. You can look at code example here: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/pfring_parser_zc_issue.c Here you can find examples of broken packets generated in ZC mode: [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2697283473][tos=0][tcp_seq_num=0] [caplen=101][len=101][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2427859156][tos=0][tcp_seq_num=0] [caplen=128][len=1494][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=785972458][tos=0][tcp_seq_num=0] [caplen=128][len=899][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2452494655][tos=0][tcp_seq_num=0] [caplen=128][len=669][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=3004425024][tos=0][tcp_seq_num=0] [caplen=62][len=62][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=1947699452][tos=0][tcp_seq_num=0] [caplen=82][len=82][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=4270253576][tos=0][tcp_seq_num=0] [caplen=128][len=214][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2404904871][tos=0][tcp_seq_num=0] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] When I remove zc prefix everything goes OK: [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][46.36.217.163:60425 - 66.212.227.177:80] [l3_proto=TCP][hash=1895475635][tos=0][tcp_seq_num=3109618290] [caplen=74][len=74][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=70] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][185.4.74.46:80 - 79.104.202.167:29676] [l3_proto=TCP][hash=141396247][tos=0][tcp_seq_num=2414040755] [caplen=128][len=1422][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [90:E2:BA:49:85:C8 - 00:19:E2:B1:EF:C1] [vlan 103] [IPv4][5.45.125.197:80 - 94.19.227.237:19226] [l3_proto=TCP][hash=1665248546][tos=0][tcp_seq_num=3106769437] [caplen=128][len=1322][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [00:19:E2:B1:EF:C1 - 90:E2:BA:49:85:C8] [IPv4][188.123.252.42:54821 - 5.45.117.243:80] [l3_proto=TCP][hash=3249162392][tos=0][tcp_seq_num=3384753169] [caplen=64][len=64][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=54] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][159.253.23.8:443 - 93.80.68.118:52364] [l3_proto=TCP][hash=4249758155][tos=0][tcp_seq_num=4188560676] [caplen=128][len=320][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [5C:5E:AB:24:0F:C0 - 90:E2:BA:49:85:C8] [IPv4][54.231.136.26:80 - 159.253.18.81:36360] [l3_proto=TCP][hash=3605342409][tos=0][tcp_seq_num=2042671898] [caplen=64][len=64][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=54] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][159.253.20.133:80 - 178.18.208.229:41361] [l3_proto=TCP][hash=1376814929][tos=0][tcp_seq_num=1451307525] [caplen=128][len=1522][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Could you help me? Thank you! On Tue, Oct 21, 2014 at 12:20 PM, Pavel Odintsov pavel.odint
Re: [Ntop-misc] How I can enable PF_RING packets parser in ZC mode?
I tried to find fix for this issue but have no success in it :( On Thu, Dec 11, 2014 at 5:23 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel why do you expect a difference? Alfredo On 11 Dec 2014, at 15:11, Pavel Odintsov pavel.odint...@gmail.com wrote: I read diff between 6.0.3 and current SVN and do not found any changes in parser :( Can you help me? On Wed, Dec 10, 2014 at 6:37 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I tried to do manual parsing and it failed with very strange results. I tried do manual parser with vanilla PF_RING and it work perfectly. But when I move to zc:eth4 everything goes weird. You can look at code example here: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/pfring_parser_zc_issue.c Here you can find examples of broken packets generated in ZC mode: [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2697283473][tos=0][tcp_seq_num=0] [caplen=101][len=101][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2427859156][tos=0][tcp_seq_num=0] [caplen=128][len=1494][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=785972458][tos=0][tcp_seq_num=0] [caplen=128][len=899][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2452494655][tos=0][tcp_seq_num=0] [caplen=128][len=669][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=3004425024][tos=0][tcp_seq_num=0] [caplen=62][len=62][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=1947699452][tos=0][tcp_seq_num=0] [caplen=82][len=82][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=4270253576][tos=0][tcp_seq_num=0] [caplen=128][len=214][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2404904871][tos=0][tcp_seq_num=0] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] When I remove zc prefix everything goes OK: [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][46.36.217.163:60425 - 66.212.227.177:80] [l3_proto=TCP][hash=1895475635][tos=0][tcp_seq_num=3109618290] [caplen=74][len=74][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=70] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][185.4.74.46:80 - 79.104.202.167:29676] [l3_proto=TCP][hash=141396247][tos=0][tcp_seq_num=2414040755] [caplen=128][len=1422][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [90:E2:BA:49:85:C8 - 00:19:E2:B1:EF:C1] [vlan 103] [IPv4][5.45.125.197:80 - 94.19.227.237:19226] [l3_proto=TCP][hash=1665248546][tos=0][tcp_seq_num=3106769437] [caplen=128][len=1322][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [00:19:E2:B1:EF:C1 - 90:E2:BA:49:85:C8] [IPv4][188.123.252.42:54821 - 5.45.117.243:80] [l3_proto=TCP][hash=3249162392][tos=0][tcp_seq_num=3384753169] [caplen=64][len=64][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=54] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][159.253.23.8:443 - 93.80.68.118:52364] [l3_proto=TCP][hash=4249758155][tos=0][tcp_seq_num=4188560676] [caplen=128][len=320][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [5C:5E:AB:24:0F:C0 - 90:E2:BA:49:85:C8] [IPv4][54.231.136.26:80 - 159.253.18.81:36360] [l3_proto=TCP][hash=3605342409][tos=0][tcp_seq_num=2042671898] [caplen=64][len=64][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=54] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][159.253.20.133:80 - 178.18.208.229
Re: [Ntop-misc] How I can enable PF_RING packets parser in ZC mode?
Thank you so much! I appreciate your help! Songs very strange but I suppose ZC is not zeroed packet header data between calls: First packet: Before parser:[00:00:00:00:00:00 - 00:00:00:00:00:00] [eth_type=0x] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=0][l4_offset=0][payload_offset=0] After parser:[90:E2:BA:78:26:8C - 90:E2:BA:4A:D8:DC] [IPv4][10.10.10.100:43036 - 10.10.10.200:82] [l3_proto=TCP][hash=1454961952][tos=16][tcp_seq_num=661801648] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=74] Second packet (it should be clean after parser coll): Before parser:[90:E2:BA:78:26:8C - 90:E2:BA:4A:D8:DC] [IPv4][10.10.10.100:43036 - 10.10.10.200:82] [l3_proto=TCP][hash=1454961952][tos=16][tcp_seq_num=661801648] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=74] After parser:[90:E2:BA:78:26:8C - 90:E2:BA:4A:D8:DC] [IPv4][10.10.10.100:43036 - 10.10.10.200:82] [l3_proto=TCP][hash=1454961952][tos=16][tcp_seq_num=661801648] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=74] And next issue related with hashing, I completely disabled hashing with fifth parameter set to zero: pfring_parse_pkt((u_char*)p, (struct pfring_pkthdr*)h, 4, 1, 0); But I still getting hash information: [90:E2:BA:78:26:8C - 90:E2:BA:4A:D8:DC] [IPv4][10.10.10.100:43036 - 10.10.10.200:82] [l3_proto=TCP][hash=1454961952][tos=16][tcp_seq_num=661801648] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=74] How it possible? :) Thank you your help! On Thu, Dec 11, 2014 at 5:32 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Did you try replacing your pfring_parse_pkt() call with the below? memset(h-extended_hdr.parsed_pkt, 0, sizeof(h-extended_hdr.parsed_pkt)); pfring_parse_pkt((u_char*)p, (struct pfring_pkthdr*)h, 4, 1, 0); Alfredo On 11 Dec 2014, at 15:30, Pavel Odintsov pavel.odint...@gmail.com wrote: I tried to find fix for this issue but have no success in it :( On Thu, Dec 11, 2014 at 5:23 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel why do you expect a difference? Alfredo On 11 Dec 2014, at 15:11, Pavel Odintsov pavel.odint...@gmail.com wrote: I read diff between 6.0.3 and current SVN and do not found any changes in parser :( Can you help me? On Wed, Dec 10, 2014 at 6:37 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I tried to do manual parsing and it failed with very strange results. I tried do manual parser with vanilla PF_RING and it work perfectly. But when I move to zc:eth4 everything goes weird. You can look at code example here: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/pfring_parser_zc_issue.c Here you can find examples of broken packets generated in ZC mode: [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2697283473][tos=0][tcp_seq_num=0] [caplen=101][len=101][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2427859156][tos=0][tcp_seq_num=0] [caplen=128][len=1494][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=785972458][tos=0][tcp_seq_num=0] [caplen=128][len=899][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2452494655][tos=0][tcp_seq_num=0] [caplen=128][len=669][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=3004425024][tos=0][tcp_seq_num=0] [caplen=62][len=62][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=1947699452][tos=0][tcp_seq_num=0] [caplen=82][len=82][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=4270253576][tos=0][tcp_seq_num=0] [caplen=128][len=214][parsed_header_len=0
Re: [Ntop-misc] Feature request - L2TP unpacking in PF_RING
Hello, folks! I added support for L2TP decapsulation over IP with recursive call of pfring_parse_pkt. You can check this example: https://gist.github.com/pavel-odintsov/21e9831fec2895990196 On Tue, Dec 9, 2014 at 2:12 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Alfredo! Thank you for your answer! I will try to collect pcap data without private data. On Mon, Dec 8, 2014 at 7:38 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Paul do you have a sample .pcap to share with the community? In case someone is willing to take care of the development. Alfredo On 08 Dec 2014, at 11:43, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, folks! I suggest new feature for L2TP decapsulation. It's very useful in modern decentralized networks. I tried with current PF_RING and got following output: 2014-12-08 13:36:53,537 [INFO] [00:1F:12:84:E2:E7 - 90:E2:BA:49:85:C8] [IPv4][5.254.105.102:0 - 159.22.11.251:0] [l3_proto=115][hash=2784721876][tos=32][tcp_seq_num=0] [caplen=128][len=873][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=0] Could you extract information about packet in tunnel? Thank you so much! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] How I can enable PF_RING packets parser in ZC mode?
Hello! I tried to do manual parsing and it failed with very strange results. I tried do manual parser with vanilla PF_RING and it work perfectly. But when I move to zc:eth4 everything goes weird. You can look at code example here: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/pfring_parser_zc_issue.c Here you can find examples of broken packets generated in ZC mode: [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2697283473][tos=0][tcp_seq_num=0] [caplen=101][len=101][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2427859156][tos=0][tcp_seq_num=0] [caplen=128][len=1494][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=785972458][tos=0][tcp_seq_num=0] [caplen=128][len=899][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=235012324][tos=0][tcp_seq_num=0] [caplen=128][len=1514][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2452494655][tos=0][tcp_seq_num=0] [caplen=128][len=669][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=3004425024][tos=0][tcp_seq_num=0] [caplen=62][len=62][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=1947699452][tos=0][tcp_seq_num=0] [caplen=82][len=82][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=4270253576][tos=0][tcp_seq_num=0] [caplen=128][len=214][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [IPv4][5.45.121.206:0 - 71.237.183.84:0] [l3_proto=TCP][hash=2404904871][tos=0][tcp_seq_num=0] [caplen=74][len=74][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=34][payload_offset=0] When I remove zc prefix everything goes OK: [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][46.36.217.163:60425 - 66.212.227.177:80] [l3_proto=TCP][hash=1895475635][tos=0][tcp_seq_num=3109618290] [caplen=74][len=74][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=70] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][185.4.74.46:80 - 79.104.202.167:29676] [l3_proto=TCP][hash=141396247][tos=0][tcp_seq_num=2414040755] [caplen=128][len=1422][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [90:E2:BA:49:85:C8 - 00:19:E2:B1:EF:C1] [vlan 103] [IPv4][5.45.125.197:80 - 94.19.227.237:19226] [l3_proto=TCP][hash=1665248546][tos=0][tcp_seq_num=3106769437] [caplen=128][len=1322][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [00:19:E2:B1:EF:C1 - 90:E2:BA:49:85:C8] [IPv4][188.123.252.42:54821 - 5.45.117.243:80] [l3_proto=TCP][hash=3249162392][tos=0][tcp_seq_num=3384753169] [caplen=64][len=64][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=54] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][159.253.23.8:443 - 93.80.68.118:52364] [l3_proto=TCP][hash=4249758155][tos=0][tcp_seq_num=4188560676] [caplen=128][len=320][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] [5C:5E:AB:24:0F:C0 - 90:E2:BA:49:85:C8] [IPv4][54.231.136.26:80 - 159.253.18.81:36360] [l3_proto=TCP][hash=3605342409][tos=0][tcp_seq_num=2042671898] [caplen=64][len=64][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=54] [90:E2:BA:49:85:C8 - 5C:5E:AB:24:0F:C0] [vlan 100] [IPv4][159.253.20.133:80 - 178.18.208.229:41361] [l3_proto=TCP][hash=1376814929][tos=0][tcp_seq_num=1451307525] [caplen=128][len=1522][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Could you help me? Thank you! On Tue, Oct 21, 2014 at 12:20 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Thank you for fast and useful answer! :) On Tue, Oct 21, 2014 at 12:14 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: No, with standard drivers it uses kernel threads (ksoftirq) Alfredo On 21 Oct 2014, at 10:00, Pavel
[Ntop-misc] Very strange behaviour of pfring_parse_pkt
Hello! I'm trying to do L2TP packet parser and want to do something like this for pasring nested data in l2tp payload: const u_char *l2tp_tunnel_payload = p + h-extended_hdr.parsed_pkt.offset.l4_offset + 4 + 4; struct pfring_pkthdr l2tp_header; memset(l2tp_header, 0, sizeof(l2tp_header)); pfring_parse_pkt((u_char*)l2tp_tunnel_payload, l2tp_header, 4, 0, 0); But parser did not work correctly with abosultely righ shift and I tried to parse packet already parsed by kernel for checking it: const u_char *l2tp_tunnel_payload = p; struct pfring_pkthdr l2tp_header; memset(l2tp_header, 0, sizeof(l2tp_header)); pfring_parse_pkt((u_char*)l2tp_tunnel_payload, l2tp_header, 4, 0, 0); I printed result of kernel parse: 2014-12-09 14:12:09,117 [INFO] [00:1F:12:84:E2:E7 - 90:E2:BA:49:85:C8] [IPv4][5.254.105.102:0 - 159.253.17.251:0] [l3_proto=115][hash=2784721876][tos=32][tcp_seq_num=0] [caplen=128][len=146][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=0] And result of second call: 2014-12-09 14:12:09,117 [INFO] [00:1F:12:84:E2:E7 - 90:E2:BA:49:85:C8] [IPv4][0.0.0.0:0 - 0.0.0.0:0] [l3_proto=0][hash=0][tos=0][tcp_seq_num=0] [caplen=0][len=0][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=0][payload_offset=0] As you can see second call on same packet with zeroed struct pfring_pkthdr struct produces completely incorrect data. How I should initilize struct pfring_pkthdr correctly for pfring_parse_pkt? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Very strange behaviour of pfring_parse_pkt
Thank you! Issue solved: struct pfring_pkthdr l2tp_header; memset(l2tp_header, 0, sizeof(l2tp_header)); l2tp_header.len = h-len; l2tp_header.caplen = h-caplen; On Tue, Dec 9, 2014 at 4:20 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel you are zero’ing also the packet length, thus pfring_parse_pkt() is not able parsing the packet as expected. Alfredo On 09 Dec 2014, at 12:46, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm trying to do L2TP packet parser and want to do something like this for pasring nested data in l2tp payload: const u_char *l2tp_tunnel_payload = p + h-extended_hdr.parsed_pkt.offset.l4_offset + 4 + 4; struct pfring_pkthdr l2tp_header; memset(l2tp_header, 0, sizeof(l2tp_header)); pfring_parse_pkt((u_char*)l2tp_tunnel_payload, l2tp_header, 4, 0, 0); But parser did not work correctly with abosultely righ shift and I tried to parse packet already parsed by kernel for checking it: const u_char *l2tp_tunnel_payload = p; struct pfring_pkthdr l2tp_header; memset(l2tp_header, 0, sizeof(l2tp_header)); pfring_parse_pkt((u_char*)l2tp_tunnel_payload, l2tp_header, 4, 0, 0); I printed result of kernel parse: 2014-12-09 14:12:09,117 [INFO] [00:1F:12:84:E2:E7 - 90:E2:BA:49:85:C8] [IPv4][5.254.105.102:0 - 159.253.17.251:0] [l3_proto=115][hash=2784721876][tos=32][tcp_seq_num=0] [caplen=128][len=146][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=0] And result of second call: 2014-12-09 14:12:09,117 [INFO] [00:1F:12:84:E2:E7 - 90:E2:BA:49:85:C8] [IPv4][0.0.0.0:0 - 0.0.0.0:0] [l3_proto=0][hash=0][tos=0][tcp_seq_num=0] [caplen=0][len=0][parsed_header_len=0][eth_offset=0][l3_offset=14][l4_offset=0][payload_offset=0] As you can see second call on same packet with zeroed struct pfring_pkthdr struct produces completely incorrect data. How I should initilize struct pfring_pkthdr correctly for pfring_parse_pkt? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Run PF_RING app without root permission
Hello! You should grant cap_net_admin permission and you will run PF_RING aware tool without root permissions: useradd some_user setcap cap_net_admin+eip pf_ring_aware_tool su some_user On Tue, Dec 9, 2014 at 8:10 PM, Behrooz Shafiee shafie...@gmail.com wrote: Hello folks, How can I run pf_ring applications without root permission? Thanks, -- Behrooz ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Run PF_RING app without root permission
Hello! I haven't any experience in this case but you can try this http://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user On Tue, Dec 9, 2014 at 8:46 PM, Behrooz Shafiee shafie...@gmail.com wrote: Thanks Pavel, Is there anyway that I can set the capability per user? because I build and compile the application over and over an each time I need root access again to set the capability. Thanks, On Tue, Dec 9, 2014 at 12:22 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! You should grant cap_net_admin permission and you will run PF_RING aware tool without root permissions: useradd some_user setcap cap_net_admin+eip pf_ring_aware_tool su some_user On Tue, Dec 9, 2014 at 8:10 PM, Behrooz Shafiee shafie...@gmail.com wrote: Hello folks, How can I run pf_ring applications without root permission? Thanks, -- Behrooz ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Behrooz ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Troubles with header file linux/pf_ring.h while installing PF_RING kernel module with DKMS
Hello! I'm using PF_RING for my project and tried to use dkms for kernel module: I did following: cd /usr/src wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.0.2.tar.gz/download -OPF_RING.6.0.2.tar.gz tar -xf PF_RING.6.0.2.tar.gz cd /usr/src/PF_RING-6.0.2 # compile kernel module cd /usrc/src/PF_RING-6.0.2/kernel apt-get install dpkg-dev dkms debhelper make -f Makefile.dkms deb dpkg -i /var/lib/dkms/pfring/6.0.2/deb/pfring-dkms_6.0.2_all.deb # compile libs cd /usr/src/PF_RING-6.0.2/userland/lib apt-get install -y libnuma-dev ./configure --prefix=/opt/pf_ring_6_0_2 make install After this I created test example: cat test_pf_ring.c #include pfring.h int main() { } And tried to compile it but without any success: LANG=C gcc test_pf_ring.c -I/opt/pf_ring_6_0_2/include -L/opt/pf_ring/lib -lpfring And got following: LOCALE=C LANG=C gcc test_pf_ring.c -I/opt/pf_ring_6_0_2/include -L/opt/pf_ring/lib -lpfring In file included from test_pf_ring.c:1: /opt/pf_ring_6_0_2/include/pfring.h:60:27: error: linux/pf_ring.h: No such file or directory In file included from test_pf_ring.c:1: /opt/pf_ring_6_0_2/include/pfring.h:116: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:116: warning: its scope is only this definition or declaration, which is probably not what you want /opt/pf_ring_6_0_2/include/pfring.h:172: error: expected specifier-qualifier-list before ‘packet_direction’ In file included from test_pf_ring.c:1: /opt/pf_ring_6_0_2/include/pfring.h:389: error: ‘MAX_NUM_RX_CHANNELS’ undeclared here (not in a function) /opt/pf_ring_6_0_2/include/pfring.h:449: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:465: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:508: error: expected declaration specifiers or ‘...’ before ‘hw_filtering_rule’ /opt/pf_ring_6_0_2/include/pfring.h:608: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:652: error: expected declaration specifiers or ‘...’ before ‘packet_direction’ /opt/pf_ring_6_0_2/include/pfring.h:660: error: expected declaration specifiers or ‘...’ before ‘socket_mode’ /opt/pf_ring_6_0_2/include/pfring.h:673: error: expected declaration specifiers or ‘...’ before ‘cluster_type’ /opt/pf_ring_6_0_2/include/pfring.h:742: error: expected declaration specifiers or ‘...’ before ‘hash_filtering_rule’ /opt/pf_ring_6_0_2/include/pfring.h:769: error: expected declaration specifiers or ‘...’ before ‘filtering_rule’ /opt/pf_ring_6_0_2/include/pfring.h:806: error: expected declaration specifiers or ‘...’ before ‘hash_filtering_rule’ /opt/pf_ring_6_0_2/include/pfring.h:925: error: expected declaration specifiers or ‘...’ before ‘virtual_filtering_device_info’ /opt/pf_ring_6_0_2/include/pfring.h:1108: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:1181: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:1209: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:1253: warning: ‘struct pfring_pkthdr’ declared inside parameter list /opt/pf_ring_6_0_2/include/pfring.h:1299: warning: ‘struct pfring_pkthdr’ declared inside parameter list I tried to investigate this issue and didn't found pf_ring.h header anywhere: find /usr|grep -v '/usr/src'|grep pf_ring|wc -l 0 Is it possible to add header files to dkms package? Or maybe you can move this .h file to library? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Feature request - L2TP unpacking in PF_RING
Hello, folks! I suggest new feature for L2TP decapsulation. It's very useful in modern decentralized networks. I tried with current PF_RING and got following output: 2014-12-08 13:36:53,537 [INFO] [00:1F:12:84:E2:E7 - 90:E2:BA:49:85:C8] [IPv4][5.254.105.102:0 - 159.22.11.251:0] [l3_proto=115][hash=2784721876][tos=32][tcp_seq_num=0] [caplen=128][len=873][parsed_header_len=0][eth_offset=-14][l3_offset=14][l4_offset=34][payload_offset=0] Could you extract information about packet in tunnel? Thank you so much! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Hardware filtering problem
Hello, Katarina! You can look at my code which uses hw filtering with 82599: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/fastnetmon.cpp#L2167 but examples from PF_RING are better :) On Tue, Nov 25, 2014 at 10:49 AM, Katarina Valent katarina.val...@intendanet.hr wrote: Hi Alfredo Thank you for your prompt response. We will look into examples you have mentioned. We were using instructions from: http://www.ntop.org/products/pf_ring/hardware-packet-filtering/ Are there any updated instructions we could use? Best regards, Katarina Valent From: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Alfredo Cardigliano Sent: Monday, November 24, 2014 5:03 PM To: ntop-misc@listgateway.unipi.it Subject: Re: [Ntop-misc] Hardware filtering problem Hi Katarina please read below On 24 Nov 2014, at 15:18, Katarina Valent katarina.val...@intendanet.hr wrote: Hi Until now, we have used PF_RING TNAPI for packet filtering on Intel 1G card so we are familiar with PF_RING. We are now working on a project that requires hardware filtering on 82599 Intel network card using PF_RING. We have recently purchased PF_RING ZC license for 10 Gbit adapters Steps we have done: - Downloaded downloaded PF_RING-6.0.2.tar.gz - Compiled PF_RING and drivers from PF_RING-6.0.2 - purchased PF_RING ZC license for 10 Gbit adapters (order 1416498630) - downloaded http://www.nmon.net/packages/debian/7.6/all/PF_RING-dkms/pfring-dkms_6.0.3_all.deb and installed it - activated licence per instructions - insmoding pf_ring and ixgbe.ko driver using script in attachment (script is located in /opt/PF_RING-6.0.2/drivers/PF_RING_aware/intel/ixgbe/ixgbe-3.21.2-zc/src) Problems we have: - we don't seem to get file in cat /proc/net/pf_ring/dev/eth2/rules where rules for hardware filtering can be set. /proc is deprecated, you should add/remove rules using the API. Please take a look at the examples in PF_RING/userland/{examples,examples_zc}, for instance ./zcount -h | grep \-R - Insmod ixgbe.ko with parameter FdirMode=2,2,2,2 returns: Error: could not insert module ixgbe.ko: Unknown symbol in module FdirMode is deprecated, actually it is not present in the enclosed script. - In dmesg after using load_driver_“.sh script we do not get line: ixgbe: :02:00.0: ixgbe_check_options: Flow Director perfect filtering enabled You should not expect this message in latest driver. I have attached output from dmesg after using script load_driver_2.sh Can you help us determine what are we doing wrong? Thank you in advance, Katarina Valent Best Regards Alfredo ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Hardware filtering problem
Hello! We checked PF_RING hw filters and add they correctly. But we can't see added rules with ethtool. Maybe it buggy... On Tue, Nov 25, 2014 at 2:44 PM, Katarina Valent katarina.val...@intendanet.hr wrote: Thank you. This was very helpful. Best regards, Katarina Valent From: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Alfredo Cardigliano Sent: Tuesday, November 25, 2014 12:36 PM To: ntop-misc@listgateway.unipi.it Subject: Re: [Ntop-misc] Hardware filtering problem Hi Katarina ethtool should work but it is not pf_ring-specific, we do not have documentation for that sorry. Alfredo On 25 Nov 2014, at 12:32, Katarina Valent katarina.val...@intendanet.hr wrote: Hi Alfredo I have looked into example in zcount.c and have few questions. In script there is mentioned FlowDirector and ehtool. In https://www.kernel.org/doc/Documentation/networking/ixgbe.txt I have found how FlowDirector is used using ethool. My question is: to start hardware filtering is it enough to add rule using ethtool? Do you have any documentation on adding filters using ethtool? Thank you, Katarina Valent From: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Alfredo Cardigliano Sent: Tuesday, November 25, 2014 10:23 AM To: ntop-misc@listgateway.unipi.it Subject: Re: [Ntop-misc] Hardware filtering problem Hi Katarina you are right, we will update the documentation asap, please also look at PF_RING/userland/examples/pfcount_82599.c for more examples. Best Regartds Alfredo On 25 Nov 2014, at 08:49, Katarina Valent katarina.val...@intendanet.hr wrote: Hi Alfredo Thank you for your prompt response. We will look into examples you have mentioned. We were using instructions from: http://www.ntop.org/products/pf_ring/hardware-packet-filtering/ Are there any updated instructions we could use? Best regards, Katarina Valent From: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Alfredo Cardigliano Sent: Monday, November 24, 2014 5:03 PM To: ntop-misc@listgateway.unipi.it Subject: Re: [Ntop-misc] Hardware filtering problem Hi Katarina please read below On 24 Nov 2014, at 15:18, Katarina Valent katarina.val...@intendanet.hr wrote: Hi Until now, we have used PF_RING TNAPI for packet filtering on Intel 1G card so we are familiar with PF_RING. We are now working on a project that requires hardware filtering on 82599 Intel network card using PF_RING. We have recently purchased PF_RING ZC license for 10 Gbit adapters Steps we have done: - Downloaded downloaded PF_RING-6.0.2.tar.gz - Compiled PF_RING and drivers from PF_RING-6.0.2 - purchased PF_RING ZC license for 10 Gbit adapters (order 1416498630) - downloaded http://www.nmon.net/packages/debian/7.6/all/PF_RING-dkms/pfring-dkms_6.0.3_all.deb and installed it - activated licence per instructions - insmoding pf_ring and ixgbe.ko driver using script in attachment (script is located in /opt/PF_RING-6.0.2/drivers/PF_RING_aware/intel/ixgbe/ixgbe-3.21.2-zc/src) Problems we have: - we don't seem to get file in cat /proc/net/pf_ring/dev/eth2/rules where rules for hardware filtering can be set. /proc is deprecated, you should add/remove rules using the API. Please take a look at the examples in PF_RING/userland/{examples,examples_zc}, for instance ./zcount -h | grep \-R - Insmod ixgbe.ko with parameter FdirMode=2,2,2,2 returns: Error: could not insert module ixgbe.ko: Unknown symbol in module FdirMode is deprecated, actually it is not present in the enclosed script. - In dmesg after using load_driver_“.sh script we do not get line: ixgbe: :02:00.0: ixgbe_check_options: Flow Director perfect filtering enabled You should not expect this message in latest driver. I have attached output from dmesg after using script load_driver_2.sh Can you help us determine what are we doing wrong? Thank you in advance, Katarina Valent Best Regards Alfredo ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Wrong RING version: kernel is 16, libpfring was compiled with 15: error with latest PF_RING 6.0.2
Hello, folks! I tried to build kernel module and library 6.0.2 version. After this I recompiled my tool too. But when I run my application I got error: Wrong RING version: kernel is 16, libpfring was compiled with 15 I checked multiple times and rebuild library many times but still got this error :( -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Site problems at http://www.ntop.org/products/pf_ring/
Hello! Subject! -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] pfring packet loss
Hello! Could you show top header and htop output? On Fri, Nov 7, 2014 at 12:48 AM, Behrooz Shafiee shafie...@gmail.com wrote: Hi everyone, I have implemented a small transmission protocol over pfring. I rely on the Ethernet flow control meaning that I assume that in the same subnet I won't loose any packet (I've no router so no queueing...). Everything was fine until I did some stress test as follows. I have a rcvThread which block on pfring_recv() function for each one incoming packet and process it. I start a huge number of other threads(e.g 5000) and each of them send a req to server through pfring_send (resp is one packet). And then server replies with 5000 packet. most of the time i receive the 5000 packets but sometimes I miss some of them. For example I reach the line after pfring_recv() 4503 times. I thought this is due to overflow in the NIC but I use intel pro which has both rx/tx flow pause frame on and I actually used a packet dump tool (such as wireshark) and I see the packets are being received by the NIC. So I assume they get lost somewhere a long the line from NIC to pfring_recv() function. Can anyone help me what might have gone wrong? PS. I use pfring in normal mode not DNA Thanks, -- Behrooz ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] PF_RING kernel overload and kernel crash
Hello, folks! We are testing PF_RING in heavy loaded environment and hit few bugs at ~7Mpps. We using non Zero Copy drivers, we use plain pf_ring and patched network drivers. Please take a look at this screens: https://www.dropbox.com/s/mio6fz9gz52x4fj/perftoppng.png?dl=0 https://www.dropbox.com/s/l4us5il10fjvl24/toppng.png?dl=0 Environment: centos 7 3.10.0-123.6.3.el7.x86_64 PF_RING 6.0.2 PF_RING kernel module configuration: transparent_mode=2 quick_mode=1 As you can see PF_RING eat whole cpu and kill sever at average load But after few tests we really killed this server and it crashed with following errors: [13086.272014] [13086.272020] CPU: 25 PID: 0 Comm: swapper/25 Tainted: GF O-- 3.10.0-123.6.3.el7.x86_64 #1 [13086.272064] Hardware name: Dell Inc. PowerEdge R720xd/0HJK12, BIOS 2.2.2 01/16/2014 [13086.272098] task: 880fe8d571c0 ti: 880fe8d66000 task.ti: 880fe8d66000 [13086.272132] RIP: 0010:[812c6096] [812c6096] memcpy+0x6/0x110 [13086.272169] RSP: 0018:881fff383ac0 EFLAGS: 00010282 [13086.272194] RAX: c90022ada036 RBX: fffc RCX: fffcf032 [13086.272226] RDX: fffc RSI: 881f617ba698 RDI: c90022b0b000 [13086.272258] RBP: 881fff383b18 R08: c90022ada036 R09: 0081 [13086.272290] R10: 881f4c3ab800 R11: a04c8020 R12: [13086.272321] R13: fffc R14: 881fff383c4c R15: 0032 [13086.272367] FS: () GS:881fff38() knlGS: [13086.272403] CS: 0010 DS: ES: CR0: 80050033 [13086.272430] CR2: c90022b0b000 CR3: 018d CR4: 001407e0 [13086.272477] DR0: DR1: DR2: [13086.272509] DR3: DR6: 0ff0 DR7: 0400 [13086.272554] Stack: [13086.272566] 814bf080 881fe1a16000 881f4c3ab800 [13086.272613] 881fff383af0 881f4c3ab800 881fe1a16000 881f4c3ab800 [13086.272659] 881fff383c4c 881f4c3ab800 881fff383d50 [13086.272711] Call Trace: [13086.272725] IRQ [13086.272738] [13086.272755] [814bf080] ? skb_copy_bits+0x60/0x290 [13086.272789] [a04ba920] skb_ring_handler+0x1600/0x1ef0 [pf_ring] [13086.272838] [8114ae64] ? __alloc_pages_nodemask+0x174/0xb10 [13086.272871] [81149868] ? free_compound_page+0x38/0x40 [13086.272901] [814be5d0] ? build_skb+0x30/0x1d0 [13086.272936] [a03fe818] ixgbe_clean_rx_irq+0x928/0xd70 [ixgbe] [13086.272971] [810a1cc7] ? enqueue_entity+0x237/0x890 [13086.273002] [a03d] ixgbe_poll+0x46d/0x820 [ixgbe] [13086.273033] [814d02aa] net_rx_action+0x15a/0x250 [13086.273074] [81067047] __do_softirq+0xf7/0x290 [13086.273103] [815f40dc] call_softirq+0x1c/0x30 [13086.273132] [81014d25] do_softirq+0x55/0x90 [13086.274236] [810673e5] irq_exit+0x115/0x120 [13086.275334] [815f49d8] do_IRQ+0x58/0xf0 [13086.276418] [815e9b2d] common_interrupt+0x6d/0x6d [13086.277509] EOI [13086.277520] [13086.278578] [81483252] ? cpuidle_enter_state+0x52/0xc0 [13086.279643] [81483385] cpuidle_idle_call+0xc5/0x200 [13086.280825] [8101bcae] arch_cpu_idle+0xe/0x30 [13086.281942] [810b47b5] cpu_startup_entry+0xf5/0x290 [13086.282983] [815cff11] start_secondary+0x265/0x27b [13086.283989] Code: 43 58 48 2b 43 50 88 43 4e 5b 5d c3 66 0f 1f 84 00 00 00 00 00 e8 fb fb ff ff eb e2 90 90 90 90 90 90 90 90 90 48 89 f8 48 89 d1 f3 a4 c3 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 4c 8b 06 4c 8b [13086.286116] RIP [812c6096] memcpy+0x6/0x110 [13086.287102] RSP 881fff383ac0 [13086.288042] CR2: c90022b0b000 Can you fix this issues? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] How I can enable PF_RING packets parser in ZC mode?
Hello, folks! I tried to use zc mode in my AntiDDoS toolkit (https://github.com/FastVPSEestiOu/fastnetmon) and I use PF_RING packets parser because it's very fast and reliable. I use PF_RING in old fashion way: pfring_loop(pf_ring_descr, parse_packet_pf_ring, (u_char*)NULL, wait_for_packet); When I enable zc mode (change from eth3 to zc:eth3) I see alд packets but PF_RING's packet parser did not work totally. I found this in documentation: pfring_open() flag: Disable packet parsing also when 1-copy is used. (parsing already disabled in zero-copy) But I can't find any way to enable parser in ZC mode. Surely, I can call parser manually: pfring_parse_pkt((u_char*)p, (struct pfring_pkthdr*)h, 5, 0, 0); But this way is not ok because standard parser work in multiple threads and correctly spread load for all cores but when I call pfring_parse_pkt manually it's eat whole core. Could I enable PF_RING packet parser for ZC mode? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] How I can enable PF_RING packets parser in ZC mode?
Hello! Yep, I can run it in my tool but standard parser with no-zc mode spread for all cores. It uses additional threads inside pf_ring? ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] How I can enable PF_RING packets parser in ZC mode?
Thank you for fast and useful answer! :) On Tue, Oct 21, 2014 at 12:14 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: No, with standard drivers it uses kernel threads (ksoftirq) Alfredo On 21 Oct 2014, at 10:00, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! Yep, I can run it in my tool but standard parser with no-zc mode spread for all cores. It uses additional threads inside pf_ring? ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Extremely big packet length after PF_RING packet parser
Hello! I use PF_RING packets parser and got very strange packets size in network with stadnard MTU (1500): 2014-10-16 03:32:50.483384 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483385 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483386 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483415 5.45.118.135:80 188.120.233.239:39393 protocol: tcp size: 14550 bytes 2014-10-16 03:32:50.483430 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483435 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483457 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 5862 bytes 2014-10-16 03:32:50.483482 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483515 5.45.118.135:80 188.120.233.239:39392 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483518 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483526 188.120.233.239:39392 5.45.118.135:80 protocol: tcp size: 66 bytes Full list: https://gist.github.com/pavel-odintsov/6aac022b8f6eebd284ff I got h-len from pfring_pkthdr *h struct with no processing. How it possible? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Extremely big packet length after PF_RING packet parser
Hello! Yep, it enabled :( ethtool -k eth3 Features for eth3: rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-unneeded: off [fixed] tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: on tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: on scatter-gather: on tx-scatter-gather: on tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: on tx-tcp-segmentation: on tx-tcp-ecn-segmentation: off [fixed] tx-tcp6-segmentation: on udp-fragmentation-offload: off [fixed] generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: on rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off receive-hashing: on highdma: on [fixed] rx-vlan-filter: on [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: on loopback: off [fixed] I disabled it completely with commands: ethtool -K eth0 gro off gso off tso off On Wed, Oct 22, 2014 at 1:35 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel do you have tso/gso enabled perhaps? (please check with ethtool -k ethX) Alfredo On 21 Oct 2014, at 11:19, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I use PF_RING packets parser and got very strange packets size in network with stadnard MTU (1500): 2014-10-16 03:32:50.483384 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483385 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483386 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483415 5.45.118.135:80 188.120.233.239:39393 protocol: tcp size: 14550 bytes 2014-10-16 03:32:50.483430 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483435 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483457 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 5862 bytes 2014-10-16 03:32:50.483482 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483515 5.45.118.135:80 188.120.233.239:39392 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483518 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483526 188.120.233.239:39392 5.45.118.135:80 protocol: tcp size: 66 bytes Full list: https://gist.github.com/pavel-odintsov/6aac022b8f6eebd284ff I got h-len from pfring_pkthdr *h struct with no processing. How it possible? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Extremely big packet length after PF_RING packet parser
Thank you so much! I will check it! On Wed, Oct 22, 2014 at 2:05 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: You should disable them if you need real packets. Alfredo On 22 Oct 2014, at 00:00, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! Yep, it enabled :( ethtool -k eth3 Features for eth3: rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-unneeded: off [fixed] tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: on tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: on scatter-gather: on tx-scatter-gather: on tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: on tx-tcp-segmentation: on tx-tcp-ecn-segmentation: off [fixed] tx-tcp6-segmentation: on udp-fragmentation-offload: off [fixed] generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: on rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off receive-hashing: on highdma: on [fixed] rx-vlan-filter: on [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: on loopback: off [fixed] I disabled it completely with commands: ethtool -K eth0 gro off gso off tso off On Wed, Oct 22, 2014 at 1:35 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel do you have tso/gso enabled perhaps? (please check with ethtool -k ethX) Alfredo On 21 Oct 2014, at 11:19, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I use PF_RING packets parser and got very strange packets size in network with stadnard MTU (1500): 2014-10-16 03:32:50.483384 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483385 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483386 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483415 5.45.118.135:80 188.120.233.239:39393 protocol: tcp size: 14550 bytes 2014-10-16 03:32:50.483430 188.120.233.239:39393 5.45.118.135:80 protocol: tcp size: 66 bytes 2014-10-16 03:32:50.483435 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483457 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 5862 bytes 2014-10-16 03:32:50.483482 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483515 5.45.118.135:80 188.120.233.239:39392 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483518 5.45.118.135:80 188.120.233.239:39391 protocol: tcp size: 1518 bytes 2014-10-16 03:32:50.483526 188.120.233.239:39392 5.45.118.135:80 protocol: tcp size: 66 bytes Full list: https://gist.github.com/pavel-odintsov/6aac022b8f6eebd284ff I got h-len from pfring_pkthdr *h struct with no processing. How it possible? -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Troubles with PF_RING and GRE
Thank you! We got new errors: [222005.153857] [PF_RING] Welcome to PF_RING 6.0.2 ($Revision: 7892$) [222005.153859] (C) 2004-14 ntop.org [222005.154001] [PF_RING] registered /proc/net/pf_ring/ [222005.154064] NET: Registered protocol family 27 [222005.154131] [PF_RING] WARNING: multiple devices with the same name [222005.154194] [PF_RING] WARNING: multiple devices with the same name [222005.154255] [PF_RING] WARNING: multiple devices with the same name [222005.154317] [PF_RING] WARNING: multiple devices with the same name [222005.154378] [PF_RING] WARNING: multiple devices with the same name [222005.154441] [PF_RING] WARNING: multiple devices with the same name [222005.154504] [PF_RING] WARNING: multiple devices with the same name [222005.154565] [PF_RING] WARNING: multiple devices with the same name [222005.154627] [PF_RING] WARNING: multiple devices with the same name [222005.154696] [PF_RING] WARNING: multiple devices with the same name [222005.154759] [PF_RING] WARNING: multiple devices with the same name [222005.154822] [PF_RING] WARNING: multiple devices with the same name [222005.154884] [PF_RING] WARNING: multiple devices with the same name [222005.154946] [PF_RING] WARNING: multiple devices with the same name [222005.155007] [PF_RING] WARNING: multiple devices with the same name [222005.155069] [PF_RING] WARNING: multiple devices with the same name [222005.155131] [PF_RING] WARNING: multiple devices with the same name [222005.155192] [PF_RING] WARNING: multiple devices with the same name [222005.155254] [PF_RING] WARNING: multiple devices with the same name [222005.155315] [PF_RING] WARNING: multiple devices with the same name [222005.155377] [PF_RING] WARNING: multiple devices with the same name [222005.155439] [PF_RING] WARNING: multiple devices with the same name [222005.155502] [PF_RING] WARNING: multiple devices with the same name [222005.155564] [PF_RING] WARNING: multiple devices with the same name [222005.155625] [PF_RING] WARNING: multiple devices with the same name [222005.155690] [PF_RING] WARNING: multiple devices with the same name [222005.155752] [PF_RING] WARNING: multiple devices with the same name [222005.155814] [PF_RING] WARNING: multiple devices with the same name [222005.155875] [PF_RING] WARNING: multiple devices with the same name [222005.155937] [PF_RING] WARNING: multiple devices with the same name [222005.155998] [PF_RING] WARNING: multiple devices with the same name [222005.156060] [PF_RING] WARNING: multiple devices with the same name [222005.156121] [PF_RING] WARNING: multiple devices with the same name [222005.156183] [PF_RING] WARNING: multiple devices with the same name [222005.156244] [PF_RING] WARNING: multiple devices with the same name [222005.156306] [PF_RING] WARNING: multiple devices with the same name [222005.156367] [PF_RING] WARNING: multiple devices with the same name [222005.156429] [PF_RING] WARNING: multiple devices with the same name [222005.156493] [PF_RING] WARNING: multiple devices with the same name [222005.156555] [PF_RING] WARNING: multiple devices with the same name [222005.156617] [PF_RING] WARNING: multiple devices with the same name [222005.156678] [PF_RING] WARNING: multiple devices with the same name [222005.156774] [PF_RING] WARNING: multiple devices with the same name [222005.156836] [PF_RING] WARNING: multiple devices with the same name [222005.156898] [PF_RING] WARNING: multiple devices with the same name [222005.156960] [PF_RING] WARNING: multiple devices with the same name [222005.157021] [PF_RING] Min # ring slots 4096 [222005.157079] [PF_RING] Slot version 15 [222005.157136] [PF_RING] Capture TX Yes [RX+TX] [222005.157194] [PF_RING] Transparent Mode 0 [222005.157252] [PF_RING] IP DefragmentNo [222005.157309] [PF_RING] Initialized correctly On Sun, Jul 13, 2014 at 11:38 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel please update again and let us know (cutpaste again the dmesg output) Thank you Alfredo On 12 Jul 2014, at 22:15, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! We got same error with svn version of PF_RING: [130426.881833] NET: Unregistered protocol family 27 [130426.881966] [PF_RING] Module unloaded [130446.628660] [PF_RING] Welcome to PF_RING 6.0.2 ($Revision: 7885$) [130446.628662] (C) 2004-14 ntop.org [130446.628794] [PF_RING] registered /proc/net/pf_ring/ [130446.628853] NET: Registered protocol family 27 [130446.628917] [ cut here ] [130446.628979] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Tainted: GW --- ) [130446.629100] Hardware name: MS-7522 [130446.629156] proc_dir_entry 'dev/gretap0' already registered [130446.629216] Modules linked in: pf_ring(+)(U) cls_u32 sch_sfq sch_htb cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp vzethdev pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop simfs vziolimit vzdquota ip6t_REJECT ip6table_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS
Re: [Ntop-misc] Troubles with PF_RING and GRE
pfmt_raw pfmt_ploop1 ploop simfs vziolimit vzdquota ip6t_REJECT ip6table_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS iptable_mangle xt_multiport xt_limit xt_dscp ipt_REJECT vzevent netconsole configfs vznetdev ip_gre ip_tunnel iptable_filter ip6table_filter ip6_tables nf_conntrack_ftp xt_recent vzrst vzcpt vzmon vzdev nfs lockd fscache auth_rpcgss nfs_acl sunrpc xt_connlimit ipt_REDIRECT xt_owner nf_conntrack_ipv6 nf_defrag_ipv6 xt_state ipt_LOG xfrm_ipcomp xfrm4_mode_transport pppol2tp pppox xfrm6_mode_tunnel xfrm4_mode_tunnel esp6 ipv6 esp4 af_key arc4 ecb ppp_mppe ppp_deflate zlib_deflate ppp_async ppp_generic slhc crc_ccitt fuse iptable_nat ip_tables nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 tun iTCO_wdt iTCO_vendor_support e1000 sg snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc i2c_i801 lpc_ich mfd_core i7core_edac edac_core shpchp tpm_tis tpm tpm_bios ext4 jbd2 mbcache sd_mod crc_t10dif ahci aacraid nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core mxm_wmi video output wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: pf_ring] [130446.634959] Pid: 834547, comm: insmod veid: 0 Tainted: GW ---2.6.32-042stab092.2 #1 [130446.635074] Call Trace: [130446.635130] [81075587] ? warn_slowpath_common+0x87/0xc0 [130446.635192] [81075676] ? warn_slowpath_fmt+0x46/0x50 [130446.635254] [81222cb9] ? proc_register+0xb9/0x170 [130446.635315] [81223032] ? proc_mkdir_mode+0x42/0x60 [130446.635376] [81223066] ? proc_mkdir+0x16/0x20 [130446.635463] [a0722539] ? add_device_to_ring_list+0xb9/0x220 [pf_ring] [130446.635576] [8107578a] ? _call_console_drivers+0x4a/0x80 [130446.635638] [81075f81] ? release_console_sem+0x1e1/0x230 [130446.635702] [a07227f1] ? ring_notifier+0x151/0x3c0 [pf_ring] [130446.635764] [81076a96] ? vprintk+0x36/0x50 [130446.635824] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [130446.635888] [a0502000] ? ring_init+0x0/0x37c [pf_ring] [130446.635951] [a05022bd] ? ring_init+0x2bd/0x37c [pf_ring] [130446.636014] [8100204c] ? do_one_initcall+0x3c/0x1d0 [130446.636075] [810cee41] ? sys_init_module+0xe1/0x250 [130446.636137] [8100b102] ? system_call_fastpath+0x16/0x1b [130446.636198] ---[ end trace c64bbb75ce2a5d47 ]--- [130446.636257] Tainting kernel with flag 0x9 [130446.636315] Pid: 834547, comm: insmod veid: 0 Tainted: GW ---2.6.32-042stab092.2 #1 [130446.636433] Call Trace: [130446.636489] [81075411] ? add_taint+0x71/0x80 [130446.636603] [81075594] ? warn_slowpath_common+0x94/0xc0 [130446.636665] [81075676] ? warn_slowpath_fmt+0x46/0x50 [130446.636726] [81222cb9] ? proc_register+0xb9/0x170 [130446.636787] [81223032] ? proc_mkdir_mode+0x42/0x60 [130446.636848] [81223066] ? proc_mkdir+0x16/0x20 [130446.636911] [a0722539] ? add_device_to_ring_list+0xb9/0x220 [pf_ring] [130446.637023] [8107578a] ? _call_console_drivers+0x4a/0x80 [130446.637085] [81075f81] ? release_console_sem+0x1e1/0x230 [130446.637149] [a07227f1] ? ring_notifier+0x151/0x3c0 [pf_ring] [130446.637211] [81076a96] ? vprintk+0x36/0x50 [130446.637271] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [130446.637336] [a0502000] ? ring_init+0x0/0x37c [pf_ring] [130446.637399] [a05022bd] ? ring_init+0x2bd/0x37c [pf_ring] [130446.637464] [8100204c] ? do_one_initcall+0x3c/0x1d0 [130446.637526] [810cee41] ? sys_init_module+0xe1/0x250 [130446.637588] [8100b102] ? system_call_fastpath+0x16/0x1b On Fri, Jul 11, 2014 at 3:51 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Thank you! I will check it soon. On Fri, Jul 11, 2014 at 2:26 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel please try updating from svn and let us know. Cutpaste dmesg and ifconfig output if possible. Thank you Alfredo On 11 Jul 2014, at 09:09, Pavel Odintsov pavel.odint...@gmail.com wrote: Right! On Fri, Jul 11, 2014 at 11:08 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Ok now I understand. Is this happening *only* when GRE is up? Alfredo On 11 Jul 2014, at 08:58, Pavel Odintsov pavel.odint...@gmail.com wrote: Not, we only start PF_RING module on node with running GRE tunnel. We did not start any software which used PF_RING. On Fri, Jul 11, 2014 at 10:50 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel is this happening when you start capturing GRE traffic? Alfredo On 11 Jul 2014, at 08:49, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! It's really standard configuration. We started GRE tunnel to another server and got this error from PF_RING. On Fri, Jul 11, 2014 at 10:46 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel can you provide
[Ntop-misc] Troubles with PF_RING and GRE
Hello! I'm using GRE together with PF_RING and got very strange stack traces: После загрузки pf_ring в dmesg [ 6797.491521] [PF_RING] Welcome to PF_RING 5.6.2 ($Revision: exported$) [ 6797.491522] (C) 2004-13 ntop.org [ 6797.491554] [PF_RING] registered /proc/net/pf_ring/ [ 6797.491565] NET: Registered protocol family 27 [ 6797.491590] [ cut here ] [ 6797.491605] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Not tainted) [ 6797.491634] Hardware name: MS-7522 [ 6797.491644] proc_dir_entry 'dev/gretap0' already registered [ 6797.491656] Modules linked in: pf_ring(+)(U) cls_u32 sch_sfq sch_htb cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp vzethdev pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop simfs vziolimit vzdquota ip6t_REJECT ip6table_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS iptable_mangle xt_multiport xt_limit xt_dscp ipt_REJECT vzevent netconsole configfs vznetdev ip_gre ip_tunnel iptable_filter ip6table_filter ip6_tables nf_conntrack_ftp xt_recent vzrst vzcpt vzmon vzdev nfs lockd fscache auth_rpcgss nfs_acl sunrpc xt_connlimit ipt_REDIRECT xt_owner nf_conntrack_ipv6 nf_defrag_ipv6 xt_state ipt_LOG xfrm_ipcomp xfrm4_mode_transport pppol2tp pppox xfrm6_mode_tunnel xfrm4_mode_tunnel esp6 ipv6 esp4 af_key arc4 ecb ppp_mppe ppp_deflate zlib_deflate ppp_async ppp_generic slhc crc_ccitt fuse iptable_nat ip_tables nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 tun iTCO_wdt iTCO_vendor_support e1000 snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc sg i2c_i801 lpc_ich mfd_core i7core_edac edac_core tpm_tis tpm shpchp tpm_bios ext4 jbd2 mbcache sd_mod crc_t10dif ahci aacraid nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core mxm_wmi video output wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] [ 6797.492738] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.492857] Call Trace: [ 6797.492923] [81075587] ? warn_slowpath_common+0x87/0xc0 [ 6797.492993] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.493062] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.493130] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.493199] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.493268] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.493388] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.493458] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.493528] [81076a96] ? vprintk+0x36/0x50 [ 6797.493596] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.493672] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.493744] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.493880] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.493951] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.494022] [8100b102] ? system_call_fastpath+0x16/0x1b [ 6797.494091] ---[ end trace 954e9c88f18ac701 ]--- [ 6797.494157] Tainting kernel with flag 0x9 [ 6797.494221] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.494339] Call Trace: [ 6797.494402] [81075411] ? add_taint+0x71/0x80 [ 6797.494470] [81075594] ? warn_slowpath_common+0x94/0xc0 [ 6797.494539] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.494608] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.495703] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.495764] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.495896] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.496015] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.496085] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.496155] [81076a96] ? vprintk+0x36/0x50 [ 6797.496223] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.496294] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.496365] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.496435] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.496503] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.496573] [8100b102] ? system_call_fastpath+0x16/0x1b [ 6797.496697] [ cut here ] [ 6797.496758] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Tainted: GW --- ) Same errors with svn version of PR_RING module (6.0.1). -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Troubles with PF_RING and GRE
Hello! It's really standard configuration. We started GRE tunnel to another server and got this error from PF_RING. On Fri, Jul 11, 2014 at 10:46 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel can you provide us a small .pcap file we can use to reproduce the issue? Alfredo On 11 Jul 2014, at 08:32, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using GRE together with PF_RING and got very strange stack traces: После загрузки pf_ring в dmesg [ 6797.491521] [PF_RING] Welcome to PF_RING 5.6.2 ($Revision: exported$) [ 6797.491522] (C) 2004-13 ntop.org [ 6797.491554] [PF_RING] registered /proc/net/pf_ring/ [ 6797.491565] NET: Registered protocol family 27 [ 6797.491590] [ cut here ] [ 6797.491605] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Not tainted) [ 6797.491634] Hardware name: MS-7522 [ 6797.491644] proc_dir_entry 'dev/gretap0' already registered [ 6797.491656] Modules linked in: pf_ring(+)(U) cls_u32 sch_sfq sch_htb cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp vzethdev pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop simfs vziolimit vzdquota ip6t_REJECT ip6table_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS iptable_mangle xt_multiport xt_limit xt_dscp ipt_REJECT vzevent netconsole configfs vznetdev ip_gre ip_tunnel iptable_filter ip6table_filter ip6_tables nf_conntrack_ftp xt_recent vzrst vzcpt vzmon vzdev nfs lockd fscache auth_rpcgss nfs_acl sunrpc xt_connlimit ipt_REDIRECT xt_owner nf_conntrack_ipv6 nf_defrag_ipv6 xt_state ipt_LOG xfrm_ipcomp xfrm4_mode_transport pppol2tp pppox xfrm6_mode_tunnel xfrm4_mode_tunnel esp6 ipv6 esp4 af_key arc4 ecb ppp_mppe ppp_deflate zlib_deflate ppp_async ppp_generic slhc crc_ccitt fuse iptable_nat ip_tables nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 tun iTCO_wdt iTCO_vendor_support e1000 snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc sg i2c_i801 lpc_ich mfd_core i7core_edac edac_core tpm_tis tpm shpchp tpm_bios ext4 jbd2 mbcache sd_mod crc_t10dif ahci aacraid nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core mxm_wmi video output wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] [ 6797.492738] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.492857] Call Trace: [ 6797.492923] [81075587] ? warn_slowpath_common+0x87/0xc0 [ 6797.492993] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.493062] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.493130] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.493199] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.493268] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.493388] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.493458] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.493528] [81076a96] ? vprintk+0x36/0x50 [ 6797.493596] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.493672] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.493744] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.493880] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.493951] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.494022] [8100b102] ? system_call_fastpath+0x16/0x1b [ 6797.494091] ---[ end trace 954e9c88f18ac701 ]--- [ 6797.494157] Tainting kernel with flag 0x9 [ 6797.494221] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.494339] Call Trace: [ 6797.494402] [81075411] ? add_taint+0x71/0x80 [ 6797.494470] [81075594] ? warn_slowpath_common+0x94/0xc0 [ 6797.494539] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.494608] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.495703] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.495764] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.495896] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.496015] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.496085] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.496155] [81076a96] ? vprintk+0x36/0x50 [ 6797.496223] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.496294] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.496365] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.496435] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.496503] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.496573] [8100b102] ? system_call_fastpath+0x16/0x1b [ 6797.496697] [ cut here ] [ 6797.496758] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Tainted: GW --- ) Same errors with svn version of PR_RING module (6.0.1). -- Sincerely yours, Pavel Odintsov
Re: [Ntop-misc] Troubles with PF_RING and GRE
Not, we only start PF_RING module on node with running GRE tunnel. We did not start any software which used PF_RING. On Fri, Jul 11, 2014 at 10:50 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel is this happening when you start capturing GRE traffic? Alfredo On 11 Jul 2014, at 08:49, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! It's really standard configuration. We started GRE tunnel to another server and got this error from PF_RING. On Fri, Jul 11, 2014 at 10:46 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel can you provide us a small .pcap file we can use to reproduce the issue? Alfredo On 11 Jul 2014, at 08:32, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using GRE together with PF_RING and got very strange stack traces: После загрузки pf_ring в dmesg [ 6797.491521] [PF_RING] Welcome to PF_RING 5.6.2 ($Revision: exported$) [ 6797.491522] (C) 2004-13 ntop.org [ 6797.491554] [PF_RING] registered /proc/net/pf_ring/ [ 6797.491565] NET: Registered protocol family 27 [ 6797.491590] [ cut here ] [ 6797.491605] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Not tainted) [ 6797.491634] Hardware name: MS-7522 [ 6797.491644] proc_dir_entry 'dev/gretap0' already registered [ 6797.491656] Modules linked in: pf_ring(+)(U) cls_u32 sch_sfq sch_htb cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp vzethdev pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop simfs vziolimit vzdquota ip6t_REJECT ip6table_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS iptable_mangle xt_multiport xt_limit xt_dscp ipt_REJECT vzevent netconsole configfs vznetdev ip_gre ip_tunnel iptable_filter ip6table_filter ip6_tables nf_conntrack_ftp xt_recent vzrst vzcpt vzmon vzdev nfs lockd fscache auth_rpcgss nfs_acl sunrpc xt_connlimit ipt_REDIRECT xt_owner nf_conntrack_ipv6 nf_defrag_ipv6 xt_state ipt_LOG xfrm_ipcomp xfrm4_mode_transport pppol2tp pppox xfrm6_mode_tunnel xfrm4_mode_tunnel esp6 ipv6 esp4 af_key arc4 ecb ppp_mppe ppp_deflate zlib_deflate ppp_async ppp_generic slhc crc_ccitt fuse iptable_nat ip_tables nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 tun iTCO_wdt iTCO_vendor_support e1000 snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc sg i2c_i801 lpc_ich mfd_core i7core_edac edac_core tpm_tis tpm shpchp tpm_bios ext4 jbd2 mbcache sd_mod crc_t10dif ahci aacraid nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core mxm_wmi video output wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] [ 6797.492738] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.492857] Call Trace: [ 6797.492923] [81075587] ? warn_slowpath_common+0x87/0xc0 [ 6797.492993] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.493062] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.493130] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.493199] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.493268] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.493388] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.493458] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.493528] [81076a96] ? vprintk+0x36/0x50 [ 6797.493596] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.493672] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.493744] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.493880] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.493951] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.494022] [8100b102] ? system_call_fastpath+0x16/0x1b [ 6797.494091] ---[ end trace 954e9c88f18ac701 ]--- [ 6797.494157] Tainting kernel with flag 0x9 [ 6797.494221] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.494339] Call Trace: [ 6797.494402] [81075411] ? add_taint+0x71/0x80 [ 6797.494470] [81075594] ? warn_slowpath_common+0x94/0xc0 [ 6797.494539] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.494608] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.495703] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.495764] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.495896] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.496015] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.496085] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.496155] [81076a96] ? vprintk+0x36/0x50 [ 6797.496223] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.496294] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.496365] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.496435] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.496503] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.496573
Re: [Ntop-misc] Troubles with PF_RING and GRE
Right! On Fri, Jul 11, 2014 at 11:08 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Ok now I understand. Is this happening *only* when GRE is up? Alfredo On 11 Jul 2014, at 08:58, Pavel Odintsov pavel.odint...@gmail.com wrote: Not, we only start PF_RING module on node with running GRE tunnel. We did not start any software which used PF_RING. On Fri, Jul 11, 2014 at 10:50 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel is this happening when you start capturing GRE traffic? Alfredo On 11 Jul 2014, at 08:49, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! It's really standard configuration. We started GRE tunnel to another server and got this error from PF_RING. On Fri, Jul 11, 2014 at 10:46 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel can you provide us a small .pcap file we can use to reproduce the issue? Alfredo On 11 Jul 2014, at 08:32, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using GRE together with PF_RING and got very strange stack traces: После загрузки pf_ring в dmesg [ 6797.491521] [PF_RING] Welcome to PF_RING 5.6.2 ($Revision: exported$) [ 6797.491522] (C) 2004-13 ntop.org [ 6797.491554] [PF_RING] registered /proc/net/pf_ring/ [ 6797.491565] NET: Registered protocol family 27 [ 6797.491590] [ cut here ] [ 6797.491605] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Not tainted) [ 6797.491634] Hardware name: MS-7522 [ 6797.491644] proc_dir_entry 'dev/gretap0' already registered [ 6797.491656] Modules linked in: pf_ring(+)(U) cls_u32 sch_sfq sch_htb cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp vzethdev pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop simfs vziolimit vzdquota ip6t_REJECT ip6table_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS iptable_mangle xt_multiport xt_limit xt_dscp ipt_REJECT vzevent netconsole configfs vznetdev ip_gre ip_tunnel iptable_filter ip6table_filter ip6_tables nf_conntrack_ftp xt_recent vzrst vzcpt vzmon vzdev nfs lockd fscache auth_rpcgss nfs_acl sunrpc xt_connlimit ipt_REDIRECT xt_owner nf_conntrack_ipv6 nf_defrag_ipv6 xt_state ipt_LOG xfrm_ipcomp xfrm4_mode_transport pppol2tp pppox xfrm6_mode_tunnel xfrm4_mode_tunnel esp6 ipv6 esp4 af_key arc4 ecb ppp_mppe ppp_deflate zlib_deflate ppp_async ppp_generic slhc crc_ccitt fuse iptable_nat ip_tables nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 tun iTCO_wdt iTCO_vendor_support e1000 snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc sg i2c_i801 lpc_ich mfd_core i7core_edac edac_core tpm_tis tpm shpchp tpm_bios ext4 jbd2 mbcache sd_mod crc_t10dif ahci aacraid nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core mxm_wmi video output wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] [ 6797.492738] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.492857] Call Trace: [ 6797.492923] [81075587] ? warn_slowpath_common+0x87/0xc0 [ 6797.492993] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.493062] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.493130] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.493199] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.493268] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.493388] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.493458] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.493528] [81076a96] ? vprintk+0x36/0x50 [ 6797.493596] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.493672] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.493744] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.493880] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.493951] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.494022] [8100b102] ? system_call_fastpath+0x16/0x1b [ 6797.494091] ---[ end trace 954e9c88f18ac701 ]--- [ 6797.494157] Tainting kernel with flag 0x9 [ 6797.494221] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.494339] Call Trace: [ 6797.494402] [81075411] ? add_taint+0x71/0x80 [ 6797.494470] [81075594] ? warn_slowpath_common+0x94/0xc0 [ 6797.494539] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.494608] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.495703] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.495764] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.495896] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.496015] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.496085] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.496155] [81076a96] ? vprintk+0x36/0x50 [ 6797.496223] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.496294] [a066b000
Re: [Ntop-misc] Troubles with PF_RING and GRE
Thank you! I will check it soon. On Fri, Jul 11, 2014 at 2:26 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel please try updating from svn and let us know. Cutpaste dmesg and ifconfig output if possible. Thank you Alfredo On 11 Jul 2014, at 09:09, Pavel Odintsov pavel.odint...@gmail.com wrote: Right! On Fri, Jul 11, 2014 at 11:08 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Ok now I understand. Is this happening *only* when GRE is up? Alfredo On 11 Jul 2014, at 08:58, Pavel Odintsov pavel.odint...@gmail.com wrote: Not, we only start PF_RING module on node with running GRE tunnel. We did not start any software which used PF_RING. On Fri, Jul 11, 2014 at 10:50 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel is this happening when you start capturing GRE traffic? Alfredo On 11 Jul 2014, at 08:49, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! It's really standard configuration. We started GRE tunnel to another server and got this error from PF_RING. On Fri, Jul 11, 2014 at 10:46 AM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Pavel can you provide us a small .pcap file we can use to reproduce the issue? Alfredo On 11 Jul 2014, at 08:32, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm using GRE together with PF_RING and got very strange stack traces: После загрузки pf_ring в dmesg [ 6797.491521] [PF_RING] Welcome to PF_RING 5.6.2 ($Revision: exported$) [ 6797.491522] (C) 2004-13 ntop.org [ 6797.491554] [PF_RING] registered /proc/net/pf_ring/ [ 6797.491565] NET: Registered protocol family 27 [ 6797.491590] [ cut here ] [ 6797.491605] WARNING: at fs/proc/generic.c:651 proc_register+0xb9/0x170() (Not tainted) [ 6797.491634] Hardware name: MS-7522 [ 6797.491644] proc_dir_entry 'dev/gretap0' already registered [ 6797.491656] Modules linked in: pf_ring(+)(U) cls_u32 sch_sfq sch_htb cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp vzethdev pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop simfs vziolimit vzdquota ip6t_REJECT ip6table_mangle xt_length xt_hl xt_tcpmss xt_TCPMSS iptable_mangle xt_multiport xt_limit xt_dscp ipt_REJECT vzevent netconsole configfs vznetdev ip_gre ip_tunnel iptable_filter ip6table_filter ip6_tables nf_conntrack_ftp xt_recent vzrst vzcpt vzmon vzdev nfs lockd fscache auth_rpcgss nfs_acl sunrpc xt_connlimit ipt_REDIRECT xt_owner nf_conntrack_ipv6 nf_defrag_ipv6 xt_state ipt_LOG xfrm_ipcomp xfrm4_mode_transport pppol2tp pppox xfrm6_mode_tunnel xfrm4_mode_tunnel esp6 ipv6 esp4 af_key arc4 ecb ppp_mppe ppp_deflate zlib_deflate ppp_async ppp_generic slhc crc_ccitt fuse iptable_nat ip_tables nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 tun iTCO_wdt iTCO_vendor_support e1000 snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc sg i2c_i801 lpc_ich mfd_core i7core_edac edac_core tpm_tis tpm shpchp tpm_bios ext4 jbd2 mbcache sd_mod crc_t10dif ahci aacraid nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core mxm_wmi video output wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] [ 6797.492738] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.492857] Call Trace: [ 6797.492923] [81075587] ? warn_slowpath_common+0x87/0xc0 [ 6797.492993] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.493062] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.493130] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.493199] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.493268] [a06bc894] ? add_device_to_ring_list+0x94/0x1d0 [pf_ring] [ 6797.493388] [810768d0] ? __vprintk+0x560/0x6f0 [ 6797.493458] [a06bcb21] ? ring_notifier+0x151/0x3c0 [pf_ring] [ 6797.493528] [81076a96] ? vprintk+0x36/0x50 [ 6797.493596] [8146991f] ? register_netdevice_notifier+0x8f/0x1e0 [ 6797.493672] [a066b000] ? ring_init+0x0/0x37c [pf_ring] [ 6797.493744] [a066b2bd] ? ring_init+0x2bd/0x37c [pf_ring] [ 6797.493880] [8100204c] ? do_one_initcall+0x3c/0x1d0 [ 6797.493951] [810cee41] ? sys_init_module+0xe1/0x250 [ 6797.494022] [8100b102] ? system_call_fastpath+0x16/0x1b [ 6797.494091] ---[ end trace 954e9c88f18ac701 ]--- [ 6797.494157] Tainting kernel with flag 0x9 [ 6797.494221] Pid: 43330, comm: insmod veid: 0 Not tainted 2.6.32-042stab092.2 #1 [ 6797.494339] Call Trace: [ 6797.494402] [81075411] ? add_taint+0x71/0x80 [ 6797.494470] [81075594] ? warn_slowpath_common+0x94/0xc0 [ 6797.494539] [81075676] ? warn_slowpath_fmt+0x46/0x50 [ 6797.494608] [81222cb9] ? proc_register+0xb9/0x170 [ 6797.495703] [81223032] ? proc_mkdir_mode+0x42/0x60 [ 6797.495764] [81223066] ? proc_mkdir+0x16/0x20 [ 6797.495896] [a06bc894] ? add_device_to_ring_list+0x94
[Ntop-misc] Problems with errno and pfring_open
Hello! I'm used pfring_open in my code and found very strange behaviour with errno variable. printf(pf_handle: %p strerror: %s errno: %d\n, pf_ring_descr, strerror(errno), errno); pf_ring_descr = pfring_open(dev, snaplen, flags); printf(pf_handle: %p strerror: %s errno: %d\n, pf_ring_descr, strerror(errno), errno); This snippet got following output: pf_handle: (nil) strerror: Success errno: 0 pf_handle: 0x9d02e0 strerror: Operation not supported errno: 95 But after this errors al work perfectly! I suppose it's bug. If you need full my program code, it's here: https://gist.github.com/pavel-odintsov/62f372c882c83d85ed17 Sorry for duplicated messages, it's my mistake. -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Problems with errno and pfring_open
Thank you! On Mon, Jun 16, 2014 at 10:36 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Fixed in SVN, thank you for reporting. Alfredo On 16 Jun 2014, at 10:48, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! I'm used pfring_open in my code and found very strange behaviour with errno variable. printf(pf_handle: %p strerror: %s errno: %d\n, pf_ring_descr, strerror(errno), errno); pf_ring_descr = pfring_open(dev, snaplen, flags); printf(pf_handle: %p strerror: %s errno: %d\n, pf_ring_descr, strerror(errno), errno); This snippet got following output: pf_handle: (nil) strerror: Success errno: 0 pf_handle: 0x9d02e0 strerror: Operation not supported errno: 95 But after this errors al work perfectly! I suppose it's bug. If you need full my program code, it's here: https://gist.github.com/pavel-odintsov/62f372c882c83d85ed17 Sorry for duplicated messages, it's my mistake. -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Sincerely yours, Pavel Odintsov ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc