Argus with PF_RING DNA clusters

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Sep 27 17:00:41 EDT 2012 

Hi,

I've been having some more problems with ARGUS and PF_RING DNA clusters.
It turns out that with ARGUS running, the other applications reading the
same packets are seeing truncated IPv6 packets. As soon as ARGUS is
stopped, things go back to normal.

E.g. tcpdump output:

> 18:45:36.174466600 IP6 truncated-ip6 - 5355 bytes missing!2001:630:53:26:5026:29a2:5863:dbaf.65226 > 2a00:1450:400c:c06::5d.443: Flags [.], seq 2651079285:2651084641, ack 1774208329, win 259, length 5356
> 18:45:36.174535600 IP6 truncated-ip6 - 8160 bytes missing!2a00:1450:400c:c06::5d.443 > 2001:630:53:26:5026:29a2:5863:dbaf.65226: Flags [.], seq 1:8161, ack 1, win 272, options [nop,nop,sack 1 {0:1}], length 8160

The PF_RING clusters use a zero-copy mechanism which means that each
application is seeing the exact same chunk of memory. Is it possible
that ARGUS is modifying this, in particular for the IPv6 handling?

The "select() returning immediately" problem is still there, but the
PF_RING authors say they're working on a fix. They don't think the IPv6
issue is related.

Best Wishes,
Chris

On 16/07/12 21:31, Chris Wakelin wrote:
> On 16/07/12 01:16, Carter Bullard wrote:
>> Hey Chris, More than likely the select() that is used to read the
>> interface is not blocking for any amount of time.  We call it with a
>> timeout value, which should give us some idle time if there aren't
>> any packets.
> 
> I think you're probably right. With debug -D10:
> 
> ArgusGetPackets: pcap_dispatch() interface  1 up
> ArgusUpdateTime (0x1708c70) not time
> ArgusGetPackets: select() returned 1
> ArgusGetPackets: pcap_dispatch() interface  1 up
> ArgusUpdateTime (0x1708c70) not time
> ArgusGetPackets: select() returned 1
> ...
> 
> even when there's no packets.
> 
>>
>> Are these virtual interfaces selectable?
> 
> I think so, in that select() does succeed. There is an option to make
> PF_RING block until a packet is received, but that doesn't seem to help.
> 
> PF_RING docs talk about poll() rather than select(), but I think they're
> pretty much the same?
> 
> Best Wishes,
> Chris
> 
>>
>> Carter
>>
>> On Jul 15, 2012, at 4:48 PM, Chris Wakelin
>> <c.d.wakelin at reading.ac.uk> wrote:
>>
>>> Hi,
>>>
>>> I've been trying to get Argus working with the more advanced
>>> versions of PF_RING. In many ways this is similar to proprietary
>>> capture cards except for being a software solution.
>>>
>>> There's details of PF_RING DNA and a zero-copy mechanism called
>>> libzero at http://www.ntop.org/products/pf_ring/libzero-for-dna/.
>>>
>>> What it basically does is provide virtual interfaces
>>> dnacluster:X at Y which each get a subset of the traffic. I'm hoping
>>> to use something like -i
>>> ind:dnacluster:1 at 0,dnacluster:1 at 1,...,dnacluster:1 at 7 to run a 
>>> multithreaded ARGUS.
> 
> <snip>
> 
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the argus mailing list