Issue using ZC (zerocopy) interface notation
Jesse Bowling
jessebowling at gmail.com
Mon Dec 22 13:36:00 EST 2014
Hi,
I’m trying to use the PF_RING ZeroCopy libraries in order to feed an argus instance. In this case I’m using the intermediate zbalance_ipc process to bond two links together and share them to multiple apps. The zbalance_ipc process will expose new ‘interfaces” of the form “clusterID at instance”...so for me to expose argus to all the traffic from the physical interfaces I need to invoke argus an interface called (for instance):
argus -i zc:99 at 0 -w - |ra -r -
However argus doesn’t like this notation and I suspect it’s because of the colon...I get this alert message:
ArgusAlert: 22 Dec 14 13:33:04.588239 ArgusOpenInterface: pcap_open_live zc:99 at 0: No such device exists (SIOCGIFHWADDR: No such device)
Other apps compiled against the PF_RING libpcap libraries such as tcpdump issue a warning, but then continue:
# tcpdump -nn -i zc:99 at 0 -c 1000 > /dev/null
tcpdump: WARNING: SIOCGIFADDR: zc:99 at 0: No such device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on zc:99 at 0, link-type EN10MB (Ethernet), capture size 8192 bytes
1000 packets captured
1000 packets received by filter
0 packets dropped by kernel
Any help for this? :)
Cheers,
Jesse
More information about the argus
mailing list