Argus and PF_RING ZC drivers
Carter Bullard
carter at qosient.com
Tue Oct 6 23:50:15 EDT 2015
Hey Craig,
Add your library to the end of the “LIB” variable that’s on line 87 of the ./argus/Makefile (not the Makefile.in).
On my system the definition of LIB in Makefile is:
LIB = ../lib/libpcap.a $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm
Add this to the end…
LIB = ../lib/libpcap.a $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm /opt/PF_RING/userland/lib/libpfring.a
Hopefully that will work for you ...
Carter
> On Oct 6, 2015, at 8:11 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
>
> I’ve looked through the Makefile and I honestly have no idea how to add those libraries to it. Can you point me in the right direction?
>
> Thx.
>
> C
>
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Tuesday, October 06, 2015 3:46 PM
> To: Craig Merchant
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
>
> Hey Craig,
> Just edit the Makefile in ./argus to add the library. Better to do it by hand that to try to get automaker to figure it out, at least in the short term !!
> You are in uncharted waters for me ... but I'll make any changes needed !!!
> Carter
>
>
>
> Carter Bullard • CTO
> 150 E 57th Street Suite 12D
> New York, New York 10022-2795
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>
> On Oct 6, 2015, at 6:30 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
>
> I did some more digging around… If I specify /opt/PF_RING/userland/libpcap/libpcap.a instead of just the directory, Argus finds what it needs and will complete the “make” process successfully.
>
> Luca Deri from NTOP says I need to “ add /opt/PF_RING/userland/lib/libpfring.a after libpcap.a”. I tried the following:
>
> ./configure –with-libpcap=/opt/PF_RING/userland/libpcap –with-pfring=/opt/PF_RING/userland/lib/libpfring.a
>
> But that gives me a warning at the end:
>
> configure: WARNING: unrecognized options: --with-pfring
>
> How can I add the pfring files that the developer says are needed?
>
> Thx.
>
> C
>
> From: Craig Merchant
> Sent: Tuesday, October 06, 2015 2:35 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
>
> I tried compiling the Argus network flow tool against the libpcap libraries from pf_ring:
>
> ./configure –with-libpcap=/opt/PF_RING/userland/libpcap
>
> The configure script doesn’t throw any errors, but it doesn’t seem to find everything it wants:
>
> checking for specified library... /opt/PF_RING/userland/libpcap/libpcap.a
> checking for specified pcap.h... found
> checking for pcap_list_datalinks... no
> checking for pcap_set_datalink... no
> checking for pcap_datalink_name_to_val... no
> checking for pcap_set_buffer_size... no
> checking for pcap_fopen_offline... no
> checking for pcap_get_selectable_fd... no
> checking for pcap_next_ex... no
> checking for pcap_dump_ftell... no
> checking for pcap_dump_flush... no
>
> Running make, however, throws a ton of errors:
>
> make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
> gcc -O -I. -I/opt/PF_RING/userland/libpcap -I./../include -DHAVE_CONFIG_H -o ../bin/argus argus.o ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o ArgusUdt.o ArgusLcp.o ArgusIsis.o ArgusAuth.o Argus802.11.o ArgusApp.o ArgusEvents.o ArgusNetflow.o ArgusSflow.o /opt/PF_RING/userland/libpcap/libpcap.a -lpthread -lm ../lib/argus_common.a -lm
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap.o): In function `pcap_breakloop':
> /opt/PF_RING/userland/libpcap/./pcap.c:882: undefined reference to `pfring_breakloop'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_read_packet':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1628: undefined reference to `pfring_recv'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_stats_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2071: undefined reference to `pfring_stats'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_cleanup_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1088: undefined reference to `pfring_close'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setfilter_linux_common':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2630: undefined reference to `pfring_get_bound_device_ifindex'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1484: undefined reference to `pfring_enable_ring'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1485: undefined reference to `pfring_get_selectable_fd'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1316: undefined reference to `pfring_open'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1320: undefined reference to `pfring_set_socket_mode'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1347: undefined reference to `pfring_set_poll_watermark'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1345: undefined reference to `pfring_enable_rss_rehash'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1341: undefined reference to `pfring_set_application_name'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1325: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1327: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1329: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1331: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1333: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o):/opt/PF_RING/userland/libpcap/./pcap-linux.c:1335: more undefined references to `pfring_set_cluster' follow
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_get_pfring_id':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6377: undefined reference to `pfring_get_ring_id'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_watermark':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6404: undefined reference to `pfring_set_poll_watermark'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setdirection_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_inject_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2018: undefined reference to `pfring_send'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_appl_name_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1502: undefined reference to `pfring_set_application_name'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_cluster':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1508: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master_id':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6383: undefined reference to `pfring_set_master_id'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6389: undefined reference to `pfring_set_master'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_application_name':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6395: undefined reference to `pfring_set_application_name'
> collect2: error: ld returned 1 exit status
> make[1]: *** [../bin/argus] Error 1
> make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
> ### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/argus
> ### Making in /home/craig.merchant/argus-3.0.8.2.rc.2/events
> make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
> ### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/events
>
> Any ideas what’s happening here?
>
> Thx.
>
> C
>
> From: Alfredo Cardigliano [mailto:cardigliano at ntop.org]
> Sent: Tuesday, October 06, 2015 1:46 PM
> To: ntop-misc at listgateway.unipi.it
> Subject: Re: [Ntop-misc] How to make an application "PF_RING aware"
>
> Hi Craig
> in order to run a pcap-based application on top of ZC, you need to link it to our pf_ring-aware libpcap,
> that’s how the tcpdump included in pf_ring works.
>
> Alfredo
>
> On 06 Oct 2015, at 21:23, Craig Merchant <craig.merchant at oracle.com> wrote:
>
> I’ve installed the ZC drivers on an OEL 7 server. I’ve tried getting both Splunk Stream and Argus to read the ZC interfaces, but neither of them see traffic. The tcpdump included with the OS can’t see traffic on those interfaces, but the one included with ZC can.
>
> What does an application developer have to do to make an application see traffic on a ZC interface? I’m not a developer, so feel free to use small words. I’m just curious what the process is and how much work is required to add that functionality.
>
> Thanks.
>
> C
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc at listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> -----Original Message-----
> From: Jesse Bowling [mailto:jessebowling at gmail.com]
> Sent: Tuesday, October 06, 2015 9:31 AM
> To: Craig Merchant
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
>
> I'm experiencing a similar issue (at least it also applies to ZC drivers)...In my case I've worked around by having the included tcpdump read the interface, and write output to a FIFO pipe on the filesystem; I then have argus "read" that FIFO and generate data...i.e.:
>
> mknod -p /tmp/argus
> tcpdump -nn -i zc:99 at 0 -s 1600 -w /tmp/argus argus -F /etc/argus.conf -f -r /tmp/argus
>
> It works, but I can't speak to the additional load that creates by using a FIFO...
>
> Craig, you might try quoting your interface command line and using at least argus-3.0.8.2.rc.2...
>
> Specifically, when I try to specify a ZC interface I I don't get any packets in:
> # argus -D 4 -F /etc/argus.conf -i 'zc:99 at 0'
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041453 ArgusNewModeler() returning 0x7fb5c4603010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041569 ArgusNewSource(0x7fb5c4603010) returning 0x7fb5c30dd010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041586 ArgusNewQueue () returning 0x1a384a0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041596 ArgusNewList () returning 0x1a38540
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041606 ArgusNewList () returning 0x1a385e0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041613 ArgusNewOutput() returning retn 0x1a37a20
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041633 setArgusMarReportInterval(60) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041715 setArgusPortNum(561) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041731 ArgusNewList () returning 0x1a388c0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041741 ArgusParseResourceFile: ArgusBindAddr "(null)"
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041780 setArgusMarReportInterval(60) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041847 ArgusParseResourceFile (/etc/argus.conf) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041861 clearArgusDevice(0x7fb5c30dd010) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041872 ArgusNewList () returning 0x1a38680
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041882 setArgusDevice(zc:99 at 0 ) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041890 setArgusInterfaceStatus(0x7fb5c30dd010, 1)
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055180 ArgusGenerateInitialMar() returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055246 ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) binding: 127.0.0.1:561 family: 2
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055276 ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) returning 3
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055322 ArgusInitOutput() done
> ArgusAlert: 06 Oct 15 11:35:15.055346 started
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055363 ArgusNewList () returning 0x1ae7de0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055376 ArgusCloneSource(0x7fb5c30dd010) returning 0x7fb5c22c5010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055385 clearArgusDevice(0x7fb5c22c5010) returning
> argus[6265.0007edc2b57f0000]: 06 Oct 15 11:35:15.055433 ArgusOutputProcess(0x1a37a20) starting
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064100 Arguslookup_pcap_callback(1) returning 0x417b0a
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064125 ArgusOpenInterface(0x7fb5c22c5010, 'zc:99 at 0') returning 1
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064829 ArgusNewHashTable (65536) returning 0x1af8d20
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064852 ArgusNewQueue () returning 0x1af8de0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064862 ArgusNewQueue () returning 0x1af8e80
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064895 ArgusInitModeler(0x7fb5c44f1010) done
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064904 ArgusInitSource(0x7fb5c22c5010) returning 1
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064951 ArgusGetPackets (0x7fb5c22c5010) starting
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064986 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065003 ArgusGetPackets: interface is selectable
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065012 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.265347 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.765989 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.266622 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.767294 setArgusInterfaceStatus(0x7fb5c22c5010, 1) <snip; last line just repeats indefinitely>
>
> Cheers,
>
> Jesse
>
> > On 2015/10/6, at 11:07, Craig Merchant <craig.merchant at oracle.com> wrote:
> >
> > Hey, Carter…
> >
> > I’m trying to get Argus to recognize my PF_RING ZC interfaces, but it says it can’t find them.
> >
> > I see the following at line 4436 of ArgusSource.c:
> >
> > if ((strstr(device->name, "dag")) || (strstr(device->name, "napa")) ||
> > (strstr(device->name, "dna")) || (strstr(device->name, "zc")) ||
> > ((strstr(device->name, "eth")) && (strstr(device->name, "@"))))
> > {
> >
> > It looks to me like you’ve compiled support for both ZC and the old DNA/libzero interfaces into Argus. I’m running the following ZC client to fan out my network traffic:
> >
> > zbalance_ipc -i enp48s0f0,enp48s0f1 -c 10 -n 4,1 -m 1 –d
> >
> > That means my interfaces are zc:0, zc:1, zc:2, and zc:3 for the load balanced traffic and zc:4 for the second full copy of the traffic. Argus doesn’t recognize any of them as valid interfaces:
> >
> > ArgusWarning: 05 Oct 15 23:07:12.848794 ArgusOpenInterface zc:10 at 4:
> > SIOCGIFHWADDR: No such device
> >
> > The tcpdump that ships with OEL 7 can’t see them either, but the pf_ring aware version that comes with the ZC drivers sees traffic on those interfaces.
> >
> > Is there something I can do to make Argus aware of the pf_ring ZC interfaces?
> >
> > Thanks!
> >
> > C
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151006/990fb29e/attachment.bin>
More information about the argus
mailing list