Argus with PF_RING DNA clusters

Chris Wakelin c.d.wakelin at reading.ac.uk
Sun Jul 15 16:48:56 EDT 2012 

Hi,

I've been trying to get Argus working with the more advanced versions of
PF_RING. In many ways this is similar to proprietary capture cards
except for being a software solution.

There's details of PF_RING DNA and a zero-copy mechanism called libzero
at http://www.ntop.org/products/pf_ring/libzero-for-dna/.

What it basically does is provide virtual interfaces dnacluster:X at Y
which each get a subset of the traffic. I'm hoping to use something like
-i ind:dnacluster:1 at 0,dnacluster:1 at 1,...,dnacluster:1 at 7 to run a
multithreaded ARGUS.

I needed to make a similar change to that suggested for the Napatech cards:-

> --- ArgusSource.c.orig  2012-06-20 14:11:43.000000000 +0100
> +++ ArgusSource.c       2012-07-09 20:17:17.820122121 +0100
> @@ -4182,7 +4182,7 @@
>     if (device == NULL)
>        return;
>  
> -   if (strstr(device->name, "dag") || strstr(device->name, "nap")) {
> +   if (strstr(device->name, "dag") || strstr(device->name, "nap") || strstr(device->name, "dna")) { /*CDW* add "dna" */
>        for (i = 0; i < src->ArgusInterfaces; i++) {
>           if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0))
>              bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr));
> @@ -4223,6 +4223,7 @@
>              }
>           }
>  #else
> +
>           src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP;
>           setArgusInterfaceStatus(src, 1);
>  #endif

and it works so far as capturing traffic is concerned.

However each thread uses 100% CPU, even with no traffic, whereas with
"ordinary" PF_RING (which needs no special tweaks), the usage is normal.

Any idea where to start looking for a cause? Debug output isn't leaving
me any the wiser:

(-D6 with no traffic)

> ArgusOutputProcess() looping
> ArgusOutputProcess() checking for remotes
> ArgusOutputProcess() done checking for remotes
> ArgusOutputProcess() waiting for input list
> ArgusOutputProcess() checking out clients
> ArgusOutputProcess() done with clients
> ArgusOutputProcess() looping

(with traffic)

> ArgusOutputProcess() looping
> ArgusOutputProcess() checking for remotes
> ArgusOutputProcess() done checking for remotes
> ArgusOutputProcess() waiting for input list
> ArgusCalloc (1, 1680) returning 0x7f77a007aad0
> ArgusAddHashEntry (0x7f77a007aad0) returning 0x7f77a007ab10
> ArgusCalloc (1, 1680) returning 0x7f77a007b170
> ArgusAddHashEntry (0x7f77a007b170) returning 0x7f77a007b1b0
> ArgusCalloc (34, 4) returning 0x7f77a007b810
> ArgusCalloc (34, 4) returning 0x7f77a007b8a0
> ArgusCalloc (1, 1680) returning 0x7f77a007b930
> ArgusAddHashEntry (0x7f77a007b930) returning 0x7f77a007b970
> ArgusCalloc (34, 4) returning 0x7f77a007bfd0
> ArgusCreateESPFlow(0xb1e27012) returning 0xb9d460
...
> ArgusOutputProcess() checking out clients
> ArgusOutputProcess() done with clients
> ArgusOutputProcsss() looping

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the argus mailing list