Issue using ZC (zerocopy) interface notation
Carter Bullard
carter at qosient.com
Mon Dec 22 15:06:23 EST 2014
Hmmmm, we must need to do something specific for PF_RING….
you say there are examples ??? which version of tcpdump works ??
Carter
> On Dec 22, 2014, at 1:36 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>
> Hi,
>
> I’m trying to use the PF_RING ZeroCopy libraries in order to feed an argus instance. In this case I’m using the intermediate zbalance_ipc process to bond two links together and share them to multiple apps. The zbalance_ipc process will expose new ‘interfaces” of the form “clusterID at instance”...so for me to expose argus to all the traffic from the physical interfaces I need to invoke argus an interface called (for instance):
>
> argus -i zc:99 at 0 -w - |ra -r -
>
> However argus doesn’t like this notation and I suspect it’s because of the colon...I get this alert message:
>
> ArgusAlert: 22 Dec 14 13:33:04.588239 ArgusOpenInterface: pcap_open_live zc:99 at 0: No such device exists (SIOCGIFHWADDR: No such device)
>
> Other apps compiled against the PF_RING libpcap libraries such as tcpdump issue a warning, but then continue:
>
> # tcpdump -nn -i zc:99 at 0 -c 1000 > /dev/null
> tcpdump: WARNING: SIOCGIFADDR: zc:99 at 0: No such device
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on zc:99 at 0, link-type EN10MB (Ethernet), capture size 8192 bytes
> 1000 packets captured
> 1000 packets received by filter
> 0 packets dropped by kernel
>
> Any help for this? :)
>
> Cheers,
>
> Jesse
More information about the argus
mailing list