Argus with PF_RING DNA clusters

Carter Bullard carter at qosient.com
Sun Jul 15 20:16:08 EDT 2012 

Hey Chris,
More than likely the select() that is used to read the interface is not blocking for any amount of time.  We call it with a timeout value, which should give us some idle time if there aren't any packets.

Are these virtual interfaces selectable?

Carter 

On Jul 15, 2012, at 4:48 PM, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:

> Hi,
> 
> I've been trying to get Argus working with the more advanced versions of
> PF_RING. In many ways this is similar to proprietary capture cards
> except for being a software solution.
> 
> There's details of PF_RING DNA and a zero-copy mechanism called libzero
> at http://www.ntop.org/products/pf_ring/libzero-for-dna/.
> 
> What it basically does is provide virtual interfaces dnacluster:X at Y
> which each get a subset of the traffic. I'm hoping to use something like
> -i ind:dnacluster:1 at 0,dnacluster:1 at 1,...,dnacluster:1 at 7 to run a
> multithreaded ARGUS.
> 
> I needed to make a similar change to that suggested for the Napatech cards:-
> 
>> --- ArgusSource.c.orig  2012-06-20 14:11:43.000000000 +0100
>> +++ ArgusSource.c       2012-07-09 20:17:17.820122121 +0100
>> @@ -4182,7 +4182,7 @@
>>    if (device == NULL)
>>       return;
>> 
>> -   if (strstr(device->name, "dag") || strstr(device->name, "nap")) {
>> +   if (strstr(device->name, "dag") || strstr(device->name, "nap") || strstr(device->name, "dna")) { /*CDW* add "dna" */
>>       for (i = 0; i < src->ArgusInterfaces; i++) {
>>          if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0))
>>             bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr));
>> @@ -4223,6 +4223,7 @@
>>             }
>>          }
>> #else
>> +
>>          src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP;
>>          setArgusInterfaceStatus(src, 1);
>> #endif
> 
> and it works so far as capturing traffic is concerned.
> 
> However each thread uses 100% CPU, even with no traffic, whereas with
> "ordinary" PF_RING (which needs no special tweaks), the usage is normal.
> 
> Any idea where to start looking for a cause? Debug output isn't leaving
> me any the wiser:
> 
> (-D6 with no traffic)
> 
>> ArgusOutputProcess() looping
>> ArgusOutputProcess() checking for remotes
>> ArgusOutputProcess() done checking for remotes
>> ArgusOutputProcess() waiting for input list
>> ArgusOutputProcess() checking out clients
>> ArgusOutputProcess() done with clients
>> ArgusOutputProcess() looping
> 
> (with traffic)
> 
>> ArgusOutputProcess() looping
>> ArgusOutputProcess() checking for remotes
>> ArgusOutputProcess() done checking for remotes
>> ArgusOutputProcess() waiting for input list
>> ArgusCalloc (1, 1680) returning 0x7f77a007aad0
>> ArgusAddHashEntry (0x7f77a007aad0) returning 0x7f77a007ab10
>> ArgusCalloc (1, 1680) returning 0x7f77a007b170
>> ArgusAddHashEntry (0x7f77a007b170) returning 0x7f77a007b1b0
>> ArgusCalloc (34, 4) returning 0x7f77a007b810
>> ArgusCalloc (34, 4) returning 0x7f77a007b8a0
>> ArgusCalloc (1, 1680) returning 0x7f77a007b930
>> ArgusAddHashEntry (0x7f77a007b930) returning 0x7f77a007b970
>> ArgusCalloc (34, 4) returning 0x7f77a007bfd0
>> ArgusCreateESPFlow(0xb1e27012) returning 0xb9d460
> ...
>> ArgusOutputProcess() checking out clients
>> ArgusOutputProcess() done with clients
>> ArgusOutputProcsss() looping
> 
> Best Wishes,
> Chris
> 
> -- 
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
> 
>

More information about the argus mailing list