Argus with PF_RING DNA clusters

Carter Bullard carter at qosient.com
Thu Sep 27 17:32:18 EDT 2012


Hmmmm, not thinking that we modify packets, but will look.  Your running argus-3.0.6+ ?  Thanks for the bug report !!!!

Carter

On Sep 27, 2012, at 5:00 PM, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:

> Hi,
> 
> I've been having some more problems with ARGUS and PF_RING DNA clusters.
> It turns out that with ARGUS running, the other applications reading the
> same packets are seeing truncated IPv6 packets. As soon as ARGUS is
> stopped, things go back to normal.
> 
> E.g. tcpdump output:
> 
>> 18:45:36.174466600 IP6 truncated-ip6 - 5355 bytes missing!2001:630:53:26:5026:29a2:5863:dbaf.65226 > 2a00:1450:400c:c06::5d.443: Flags [.], seq 2651079285:2651084641, ack 1774208329, win 259, length 5356
>> 18:45:36.174535600 IP6 truncated-ip6 - 8160 bytes missing!2a00:1450:400c:c06::5d.443 > 2001:630:53:26:5026:29a2:5863:dbaf.65226: Flags [.], seq 1:8161, ack 1, win 272, options [nop,nop,sack 1 {0:1}], length 8160
> 
> The PF_RING clusters use a zero-copy mechanism which means that each
> application is seeing the exact same chunk of memory. Is it possible
> that ARGUS is modifying this, in particular for the IPv6 handling?
> 
> The "select() returning immediately" problem is still there, but the
> PF_RING authors say they're working on a fix. They don't think the IPv6
> issue is related.
> 
> Best Wishes,
> Chris
> 
> On 16/07/12 21:31, Chris Wakelin wrote:
>> On 16/07/12 01:16, Carter Bullard wrote:
>>> Hey Chris, More than likely the select() that is used to read the
>>> interface is not blocking for any amount of time.  We call it with a
>>> timeout value, which should give us some idle time if there aren't
>>> any packets.
>> 
>> I think you're probably right. With debug -D10:
>> 
>> ArgusGetPackets: pcap_dispatch() interface  1 up
>> ArgusUpdateTime (0x1708c70) not time
>> ArgusGetPackets: select() returned 1
>> ArgusGetPackets: pcap_dispatch() interface  1 up
>> ArgusUpdateTime (0x1708c70) not time
>> ArgusGetPackets: select() returned 1
>> ...
>> 
>> even when there's no packets.
>> 
>>> 
>>> Are these virtual interfaces selectable?
>> 
>> I think so, in that select() does succeed. There is an option to make
>> PF_RING block until a packet is received, but that doesn't seem to help.
>> 
>> PF_RING docs talk about poll() rather than select(), but I think they're
>> pretty much the same?
>> 
>> Best Wishes,
>> Chris
>> 
>>> 
>>> Carter
>>> 
>>> On Jul 15, 2012, at 4:48 PM, Chris Wakelin
>>> <c.d.wakelin at reading.ac.uk> wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I've been trying to get Argus working with the more advanced
>>>> versions of PF_RING. In many ways this is similar to proprietary
>>>> capture cards except for being a software solution.
>>>> 
>>>> There's details of PF_RING DNA and a zero-copy mechanism called
>>>> libzero at http://www.ntop.org/products/pf_ring/libzero-for-dna/.
>>>> 
>>>> What it basically does is provide virtual interfaces
>>>> dnacluster:X at Y which each get a subset of the traffic. I'm hoping
>>>> to use something like -i
>>>> ind:dnacluster:1 at 0,dnacluster:1 at 1,...,dnacluster:1 at 7 to run a 
>>>> multithreaded ARGUS.
>> 
>> <snip>
> 
> 
> -- 
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
> 



More information about the argus mailing list