Argus and PF_RING ZC drivers
Craig Merchant
craig.merchant at oracle.com
Wed Oct 7 15:10:07 EDT 2015
Progress!
I added the pf_ring and their libpcap libraries to the Makefile and it compiled successfully. When I start Argus, I don't get any complaints that the hardware interface is unknown. But I also don't see the "interface up" message. I ran Argus with -D 4 and this is what I see (interface is zc:10 at 4):
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187410 ArgusNewModeler() returning 0x7f4f94267010
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187508 ArgusNewSource(0x7f4f94267010) returning 0x7f4f933ec010
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187520 ArgusNewQueue () returning 0xcd41b0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187528 ArgusNewList () returning 0xcd42a0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187533 ArgusNewList () returning 0xcd4340
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187538 ArgusNewOutput() returning retn 0xcd4050
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187549 setArgusMarReportInterval(60) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187584 setArgusID(0x7f4f933ec010, 0x7ffe529b2612, 0x21) done
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187599 ArgusNewList () returning 0xcd4620
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187606 ArgusParseResourceFile: ArgusBindAddr "(null)"
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187613 setArgusPortNum(561) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187618 clearArgusDevice(0x7f4f933ec010) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187625 ArgusNewList () returning 0xcd46e0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187633 setArgusDevice(zc:10 at 4) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187672 ArgusParseResourceFile (/etc/argus.conf) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187684 clearArgusDevice(0x7f4f933ec010) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187691 setArgusDevice(zc:10 at 4 ) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187696 setArgusInterfaceStatus(0x7f4f933ec010, 1)
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195096 ArgusGenerateInitialMar() returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195135 ArgusEstablishListen(0xcd4050, 0x7ffe529b2600) binding: 10.86.21.22:561 family: 2
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195159 ArgusEstablishListen(0xcd4050, 0x7ffe529b2600) returning 3
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195194 ArgusInitOutput() done
ArgusAlert: 07 Oct 15 19:07:14.195209 started
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195223 ArgusNewList () returning 0xd84820
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195233 ArgusCloneSource(0x7f4f933ec010) returning 0x7f4f921c7010
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195239 clearArgusDevice(0x7f4f921c7010) returning
argus[28919.0027dd924f7f0000]: 07 Oct 15 19:07:14.195246 ArgusOutputProcess(0xcd4050) starting
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.202747 Arguslookup_pcap_callback(1) returning 0x40ee9d
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.202763 ArgusOpenInterface(0x7f4f921c7010, 'zc:10 at 4') returning 1
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203133 ArgusNewHashTable (65536) returning 0xd95840
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203145 ArgusNewQueue () returning 0xd95900
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203150 ArgusNewQueue () returning 0xd959a0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203171 ArgusInitModeler(0x7f4f94155010) done
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203176 ArgusInitSource(0x7f4f921c7010) returning 1
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203238 ArgusGetPackets (0x7f4f921c7010) starting
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203260 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203268 ArgusGetPackets: interface is selectable
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203273 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.403498 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.904031 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:15.404562 setArgusInterfaceStatus(0x7f4f921c7010, 1)
Any thoughts on what's happening here? Let me know if you need a more intense debug output.
Thanks!
-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, October 06, 2015 8:50 PM
To: Craig Merchant
Cc: Argus
Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
Hey Craig,
Add your library to the end of the “LIB” variable that’s on line 87 of the ./argus/Makefile (not the Makefile.in).
On my system the definition of LIB in Makefile is:
LIB = ../lib/libpcap.a $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm
Add this to the end…
LIB = ../lib/libpcap.a $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm /opt/PF_RING/userland/lib/libpfring.a
Hopefully that will work for you ...
Carter
> On Oct 6, 2015, at 8:11 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
>
> I’ve looked through the Makefile and I honestly have no idea how to add those libraries to it. Can you point me in the right direction?
>
> Thx.
>
> C
>
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Tuesday, October 06, 2015 3:46 PM
> To: Craig Merchant
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
>
> Hey Craig,
> Just edit the Makefile in ./argus to add the library. Better to do it by hand that to try to get automaker to figure it out, at least in the short term !!
> You are in uncharted waters for me ... but I'll make any changes needed !!!
> Carter
>
>
>
> Carter Bullard • CTO
> 150 E 57th Street Suite 12D
> New York, New York 10022-2795
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>
> On Oct 6, 2015, at 6:30 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
>
> I did some more digging around… If I specify /opt/PF_RING/userland/libpcap/libpcap.a instead of just the directory, Argus finds what it needs and will complete the “make” process successfully.
>
> Luca Deri from NTOP says I need to “ add /opt/PF_RING/userland/lib/libpfring.a after libpcap.a”. I tried the following:
>
> ./configure –with-libpcap=/opt/PF_RING/userland/libpcap
> –with-pfring=/opt/PF_RING/userland/lib/libpfring.a
>
> But that gives me a warning at the end:
>
> configure: WARNING: unrecognized options: --with-pfring
>
> How can I add the pfring files that the developer says are needed?
>
> Thx.
>
> C
>
> From: Craig Merchant
> Sent: Tuesday, October 06, 2015 2:35 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
>
> I tried compiling the Argus network flow tool against the libpcap libraries from pf_ring:
>
> ./configure –with-libpcap=/opt/PF_RING/userland/libpcap
>
> The configure script doesn’t throw any errors, but it doesn’t seem to find everything it wants:
>
> checking for specified library...
> /opt/PF_RING/userland/libpcap/libpcap.a
> checking for specified pcap.h... found checking for
> pcap_list_datalinks... no checking for pcap_set_datalink... no
> checking for pcap_datalink_name_to_val... no checking for
> pcap_set_buffer_size... no checking for pcap_fopen_offline... no
> checking for pcap_get_selectable_fd... no checking for pcap_next_ex...
> no checking for pcap_dump_ftell... no checking for pcap_dump_flush...
> no
>
> Running make, however, throws a ton of errors:
>
> make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
> gcc -O -I. -I/opt/PF_RING/userland/libpcap -I./../include -DHAVE_CONFIG_H -o ../bin/argus argus.o ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o ArgusUdt.o ArgusLcp.o ArgusIsis.o ArgusAuth.o Argus802.11.o ArgusApp.o ArgusEvents.o ArgusNetflow.o ArgusSflow.o /opt/PF_RING/userland/libpcap/libpcap.a -lpthread -lm ../lib/argus_common.a -lm
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap.o): In function `pcap_breakloop':
> /opt/PF_RING/userland/libpcap/./pcap.c:882: undefined reference to `pfring_breakloop'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_read_packet':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1628: undefined reference to `pfring_recv'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_stats_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2071: undefined reference to `pfring_stats'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_cleanup_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1088: undefined reference to `pfring_close'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setfilter_linux_common':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2630: undefined reference to `pfring_get_bound_device_ifindex'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1484: undefined reference to `pfring_enable_ring'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1485: undefined reference to `pfring_get_selectable_fd'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1316: undefined reference to `pfring_open'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1320: undefined reference to `pfring_set_socket_mode'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1347: undefined reference to `pfring_set_poll_watermark'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1345: undefined reference to `pfring_enable_rss_rehash'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1341: undefined reference to `pfring_set_application_name'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1325: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1327: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1329: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1331: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1333: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o):/opt/PF_RING/use
> rland/libpcap/./pcap-linux.c:1335: more undefined references to
> `pfring_set_cluster' follow
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_get_pfring_id':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6377: undefined reference to `pfring_get_ring_id'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_watermark':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6404: undefined reference to `pfring_set_poll_watermark'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setdirection_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_inject_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2018: undefined reference to `pfring_send'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_appl_name_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1502: undefined reference to `pfring_set_application_name'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_cluster':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1508: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master_id':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6383: undefined reference to `pfring_set_master_id'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6389: undefined reference to `pfring_set_master'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_application_name':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6395: undefined reference to `pfring_set_application_name'
> collect2: error: ld returned 1 exit status
> make[1]: *** [../bin/argus] Error 1
> make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
> ### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/argus
> ### Making in /home/craig.merchant/argus-3.0.8.2.rc.2/events
> make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
> ### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/events
>
> Any ideas what’s happening here?
>
> Thx.
>
> C
>
> From: Alfredo Cardigliano [mailto:cardigliano at ntop.org]
> Sent: Tuesday, October 06, 2015 1:46 PM
> To: ntop-misc at listgateway.unipi.it
> Subject: Re: [Ntop-misc] How to make an application "PF_RING aware"
>
> Hi Craig
> in order to run a pcap-based application on top of ZC, you need to
> link it to our pf_ring-aware libpcap, that’s how the tcpdump included in pf_ring works.
>
> Alfredo
>
> On 06 Oct 2015, at 21:23, Craig Merchant <craig.merchant at oracle.com> wrote:
>
> I’ve installed the ZC drivers on an OEL 7 server. I’ve tried getting both Splunk Stream and Argus to read the ZC interfaces, but neither of them see traffic. The tcpdump included with the OS can’t see traffic on those interfaces, but the one included with ZC can.
>
> What does an application developer have to do to make an application see traffic on a ZC interface? I’m not a developer, so feel free to use small words. I’m just curious what the process is and how much work is required to add that functionality.
>
> Thanks.
>
> C
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc at listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> -----Original Message-----
> From: Jesse Bowling [mailto:jessebowling at gmail.com]
> Sent: Tuesday, October 06, 2015 9:31 AM
> To: Craig Merchant
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
>
> I'm experiencing a similar issue (at least it also applies to ZC drivers)...In my case I've worked around by having the included tcpdump read the interface, and write output to a FIFO pipe on the filesystem; I then have argus "read" that FIFO and generate data...i.e.:
>
> mknod -p /tmp/argus
> tcpdump -nn -i zc:99 at 0 -s 1600 -w /tmp/argus argus -F /etc/argus.conf
> -f -r /tmp/argus
>
> It works, but I can't speak to the additional load that creates by using a FIFO...
>
> Craig, you might try quoting your interface command line and using at least argus-3.0.8.2.rc.2...
>
> Specifically, when I try to specify a ZC interface I I don't get any packets in:
> # argus -D 4 -F /etc/argus.conf -i 'zc:99 at 0'
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041453
> ArgusNewModeler() returning 0x7fb5c4603010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041569
> ArgusNewSource(0x7fb5c4603010) returning 0x7fb5c30dd010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041586 ArgusNewQueue
> () returning 0x1a384a0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041596 ArgusNewList
> () returning 0x1a38540
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041606 ArgusNewList
> () returning 0x1a385e0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041613
> ArgusNewOutput() returning retn 0x1a37a20
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041633
> setArgusMarReportInterval(60) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041715
> setArgusPortNum(561) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041731 ArgusNewList
> () returning 0x1a388c0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041741 ArgusParseResourceFile: ArgusBindAddr "(null)"
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041780
> setArgusMarReportInterval(60) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041847
> ArgusParseResourceFile (/etc/argus.conf) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041861
> clearArgusDevice(0x7fb5c30dd010) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041872 ArgusNewList
> () returning 0x1a38680
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041882
> setArgusDevice(zc:99 at 0 ) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041890
> setArgusInterfaceStatus(0x7fb5c30dd010, 1)
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055180
> ArgusGenerateInitialMar() returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055246
> ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) binding: 127.0.0.1:561
> family: 2
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055276
> ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) returning 3
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055322 ArgusInitOutput() done
> ArgusAlert: 06 Oct 15 11:35:15.055346 started
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055363 ArgusNewList
> () returning 0x1ae7de0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055376
> ArgusCloneSource(0x7fb5c30dd010) returning 0x7fb5c22c5010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055385
> clearArgusDevice(0x7fb5c22c5010) returning
> argus[6265.0007edc2b57f0000]: 06 Oct 15 11:35:15.055433
> ArgusOutputProcess(0x1a37a20) starting
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064100
> Arguslookup_pcap_callback(1) returning 0x417b0a
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064125
> ArgusOpenInterface(0x7fb5c22c5010, 'zc:99 at 0') returning 1
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064829
> ArgusNewHashTable (65536) returning 0x1af8d20
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064852 ArgusNewQueue
> () returning 0x1af8de0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064862 ArgusNewQueue
> () returning 0x1af8e80
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064895
> ArgusInitModeler(0x7fb5c44f1010) done
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064904
> ArgusInitSource(0x7fb5c22c5010) returning 1
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064951
> ArgusGetPackets (0x7fb5c22c5010) starting
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064986
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065003
> ArgusGetPackets: interface is selectable
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065012
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.265347
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.765989
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.266622
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.767294
> setArgusInterfaceStatus(0x7fb5c22c5010, 1) <snip; last line just
> repeats indefinitely>
>
> Cheers,
>
> Jesse
>
> > On 2015/10/6, at 11:07, Craig Merchant <craig.merchant at oracle.com> wrote:
> >
> > Hey, Carter…
> >
> > I’m trying to get Argus to recognize my PF_RING ZC interfaces, but it says it can’t find them.
> >
> > I see the following at line 4436 of ArgusSource.c:
> >
> > if ((strstr(device->name, "dag")) || (strstr(device->name, "napa")) ||
> > (strstr(device->name, "dna")) || (strstr(device->name, "zc")) ||
> > ((strstr(device->name, "eth")) && (strstr(device->name,
> > "@")))) {
> >
> > It looks to me like you’ve compiled support for both ZC and the old DNA/libzero interfaces into Argus. I’m running the following ZC client to fan out my network traffic:
> >
> > zbalance_ipc -i enp48s0f0,enp48s0f1 -c 10 -n 4,1 -m 1 –d
> >
> > That means my interfaces are zc:0, zc:1, zc:2, and zc:3 for the load balanced traffic and zc:4 for the second full copy of the traffic. Argus doesn’t recognize any of them as valid interfaces:
> >
> > ArgusWarning: 05 Oct 15 23:07:12.848794 ArgusOpenInterface zc:10 at 4:
> > SIOCGIFHWADDR: No such device
> >
> > The tcpdump that ships with OEL 7 can’t see them either, but the pf_ring aware version that comes with the ZC drivers sees traffic on those interfaces.
> >
> > Is there something I can do to make Argus aware of the pf_ring ZC interfaces?
> >
> > Thanks!
> >
> > C
>
>
More information about the argus
mailing list