Argus with PF_RING DNA clusters
Chris Wakelin
c.d.wakelin at reading.ac.uk
Mon Jul 16 16:31:26 EDT 2012
On 16/07/12 01:16, Carter Bullard wrote:
> Hey Chris, More than likely the select() that is used to read the
> interface is not blocking for any amount of time. We call it with a
> timeout value, which should give us some idle time if there aren't
> any packets.
I think you're probably right. With debug -D10:
ArgusGetPackets: pcap_dispatch() interface 1 up
ArgusUpdateTime (0x1708c70) not time
ArgusGetPackets: select() returned 1
ArgusGetPackets: pcap_dispatch() interface 1 up
ArgusUpdateTime (0x1708c70) not time
ArgusGetPackets: select() returned 1
...
even when there's no packets.
>
> Are these virtual interfaces selectable?
I think so, in that select() does succeed. There is an option to make
PF_RING block until a packet is received, but that doesn't seem to help.
PF_RING docs talk about poll() rather than select(), but I think they're
pretty much the same?
Best Wishes,
Chris
>
> Carter
>
> On Jul 15, 2012, at 4:48 PM, Chris Wakelin
> <c.d.wakelin at reading.ac.uk> wrote:
>
>> Hi,
>>
>> I've been trying to get Argus working with the more advanced
>> versions of PF_RING. In many ways this is similar to proprietary
>> capture cards except for being a software solution.
>>
>> There's details of PF_RING DNA and a zero-copy mechanism called
>> libzero at http://www.ntop.org/products/pf_ring/libzero-for-dna/.
>>
>> What it basically does is provide virtual interfaces
>> dnacluster:X at Y which each get a subset of the traffic. I'm hoping
>> to use something like -i
>> ind:dnacluster:1 at 0,dnacluster:1 at 1,...,dnacluster:1 at 7 to run a
>> multithreaded ARGUS.
<snip>
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the argus
mailing list