<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><style>body { line-height: 1.5; }blockquote { margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em; }div.FoxDiv20180919145924246742 { }body { font-size: 10.5pt; font-family: 'Microsoft YaHei UI'; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>
<div><span></span>Hi <span style="font-size: 10.5pt; line-height: 1.5; background-color: transparent;">Konstantin</span></div><div><span style="font-size: 10.5pt; line-height: 1.5; background-color: transparent;">af-packet:</span></div><div> - interface: ens4f1</div><div> threads: 40</div><div> cluster-id: 99</div><div> cluster-type: cluster_ebpf</div><div> defrag: yes</div><div> <font color="#ff0000"> ebpf-lb-file: /etc/suricata/ebpf/lb.bpf</font></div><div> use-mmap: yes</div>
<div><br></div><hr style="width: 210px; height: 1px;" color="#b5c4df" size="1" align="left">
<div><span><div style="MARGIN: 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>mazhuang@17paipai.cn</div></div></span></div>
<blockquote style="margin-Top: 0px; margin-Bottom: 0px; margin-Left: 0.5em"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>From:</b> <a href="mailto:Konstantin.Klinger@dcso.de">Konstantin Klinger</a></div><div><b>Date:</b> 2018-09-19 12:23</div><div><b>To:</b> <a href="mailto:michalpurzynski1@gmail.com">Michał Purzyński</a></div><div><b>CC:</b> <a href="mailto:mazhuang@17paipai.cn">mazhuang@17paipai.cn</a>; <a href="mailto:oisf-users@lists.openinfosecfoundation.org">Open Information Security Foundation</a></div><div><b>Subject:</b> Re: [Oisf-users] suricata 4.1 eBpf load balance</div></div></div><div><div class="FoxDiv20180919145924246742">
<div>Hi,</div>
<div><br>
</div>
I would be interested how you have included this bpf filter into your config?<br>
<br>
Cheers,
<div><br>
</div>
<div>Konstantin </div>
<div><br>
<div id="AppleMailSignature"><span style="background-color: rgba(255, 255, 255, 0);">-- <br>
Konstantin Klinger<br>
Security Content Engineer<br>
Threat Detection & Hunting (TDH)<br>
<br>
<a href="tel:+49%20160%2095476260" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="1">+49 160 95476260</a><br>
<a href="mailto:konstantin.klinger@dcso.de" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2">konstantin.klinger@dcso.de</a><br>
<br>
<a href="http://dcso.de/" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="3">dcso.de</a><br>
<a href="http://blog.dcso.de/" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="4">blog.dcso.de</a><br>
<br>
PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46<br>
<br>
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus<br>
22 • 10829 Berlin, Germany<br>
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,<br>
Amtsgericht Charlottenburg HRB 172382</span></div>
<div><br>
Am 18.09.2018 um 20:22 schrieb Michał Purzyński <<a href="mailto:michalpurzynski1@gmail.com">michalpurzynski1@gmail.com</a>>:<br>
<br>
</div>
<blockquote type="cite" style="margin-top: 0px;">
<div>
<div dir="ltr">Can you stop sending screenshoots and just C&P logs instead?</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Sep 18, 2018 at 7:53 AM <a href="mailto:mazhuang@17paipai.cn">
mazhuang@17paipai.cn</a> <<a href="mailto:mazhuang@17paipai.cn">mazhuang@17paipai.cn</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div><span></span>Hi Eric</div>
<div><span style="color:rgb(0,0,0);background-color:rgba(0,0,0,0)"> I'sure have vlan in my traccic.</span></div>
<div><img src="cid:_Foxmail.1@db2a1d9f-0db1-de09-8a50-7a04db7e958e" border="0"></div>
<div><br>
</div>
<hr style="width:210px;height:1px" color="#b5c4df" size="1" align="left">
<div><span>
<div style="MARGIN:10px;FONT-FAMILY:verdana;FONT-SIZE:10pt">
<div><a href="mailto:mazhuang@17paipai.cn" target="_blank">mazhuang@17paipai.cn</a></div>
</div>
</span></div>
<blockquote style="margin-Top:0px;margin-Bottom:0px;margin-Left:0.5em">
<div> </div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<div style="PADDING-RIGHT:8px;PADDING-LEFT:8px;FONT-SIZE:12px;FONT-FAMILY:tahoma;COLOR:#000000;BACKGROUND:#efefef;PADDING-BOTTOM:8px;PADDING-TOP:8px">
<div><b>From:</b> <a href="mailto:eric@regit.org" target="_blank">Eric Leblond</a></div>
<div><b>Date:</b> 2018-09-18 22:06</div>
<div><b>To:</b> <a href="mailto:mazhuang@17paipai.cn" target="_blank">mazhuang@17paipai.cn</a>;
<a href="mailto:petermanev@gmail.com" target="_blank">Peter Manev</a></div>
<div><b>CC:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users</a></div>
<div><b>Subject:</b> Re: Re: [Oisf-users] suricata 4.1 eBpf load balance</div>
</div>
</div>
<div>
<div>Hello,</div>
<div> </div>
<div>On Tue, 2018-09-18 at 21:42 +0800, <a href="mailto:mazhuang@17paipai.cn" target="_blank">
mazhuang@17paipai.cn</a> wrote:</div>
<div>> Hi Eric</div>
<div>> I used the new lb.c error report as shown below</div>
<div>> No permissions? The figure lb.bpf is readable</div>
<div> </div>
<div>OK, let me do some tests and tries here.</div>
<div> </div>
<div>Just to be sure, do you have VLAN in your traffic ?</div>
<div> </div>
<div>BR,</div>
<div>--</div>
<div>Eric</div>
<div> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> <a href="mailto:mazhuang@17paipai.cn" target="_blank">mazhuang@17paipai.cn</a></div>
<div>> > </div>
<div>> > From: Eric Leblond</div>
<div>> > Date: 2018-09-18 21:24</div>
<div>> > To: <a href="mailto:mazhuang@17paipai.cn" target="_blank">mazhuang@17paipai.cn</a>; Peter Manev</div>
<div>> > CC: oisf-users</div>
<div>> > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance</div>
<div>> > Hello,</div>
<div>> > </div>
<div>> > On Tue, 2018-09-18 at 21:14 +0800, <a href="mailto:mazhuang@17paipai.cn" target="_blank">
mazhuang@17paipai.cn</a> wrote:</div>
<div>> > > Hi Peter</div>
<div>> > > I'm using the suricata source code itself:</div>
<div>> > > <a href="https://github.com/OISF/suricata/blob/master/ebpf/lb.c" target="_blank">
https://github.com/OISF/suricata/blob/master/ebpf/lb.c</a></div>
<div>> > </div>
<div>> > This code do not support VLAN maybe this is your issue.</div>
<div>> > </div>
<div>> > I've pushed a new version with VLAN support:</div>
<div>> > </div>
<div>> > <a href="https://github.com/regit/suricata/tree/ebpf-update" target="_blank">
https://github.com/regit/suricata/tree/ebpf-update</a></div>
<div>> > </div>
<div>> > Can you give it a try ?</div>
<div>> > </div>
<div>> > You can or use the branch or copy the lb.c to your source tree.</div>
<div>> > </div>
<div>> > BR,</div>
<div>> > --</div>
<div>> > Eric Leblond</div>
<div>> > </div>
<div>> > ></div>
<div>> > > <a href="mailto:mazhuang@17paipai.cn" target="_blank">mazhuang@17paipai.cn</a></div>
<div>> > > > </div>
<div>> > > > From: Peter Manev</div>
<div>> > > > Date: 2018-09-18 21:12</div>
<div>> > > > To: mazhuang</div>
<div>> > > > CC: Open Information Security Foundation</div>
<div>> > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance</div>
<div>> > > > On Tue, Sep 18, 2018 at 2:48 PM <a href="mailto:mazhuang@17paipai.cn" target="_blank">
mazhuang@17paipai.cn</a></div>
<div>> > > > <<a href="mailto:mazhuang@17paipai.cn" target="_blank">mazhuang@17paipai.cn</a>> wrote:</div>
<div>> > > > ></div>
<div>> > > > > Hi All</div>
<div>> > > > > I followed</div>
<div>> > > > </div>
<div>> > <a href="https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html#setup-ebpf-load-balancing" target="_blank">
https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html#setup-ebpf-load-balancing</a></div>
<div>> > > > this tutorial to configure ebpf load balancing, but the result</div>
<div>> > was</div>
<div>> > > > only one core processing the data</div>
<div>> > > > ></div>
<div>> > > > ></div>
<div>> > > > > Suricata Version:4.1</div>
<div>> > > > > OS:Centos 7</div>
<div>> > > > > Kernel:Linux yg 4.18.8-1.el7.elrepo.x86_64 #1 SMP Sat Sep</div>
<div>> > 15</div>
<div>> > > > 10:10:09 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux</div>
<div>> > > > > CPU:Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz x2</div>
<div>> > > > > Memory:128G</div>
<div>> > > > </div>
<div>> > > > </div>
<div>> > > > Can you share your balancer (lb.bpf) so i can try to reproduce?</div>
<div>> > > > </div>
<div>> > > > </div>
<div>> > > > </div>
<div>> > > > --</div>
<div>> > > > Regards,</div>
<div>> > > > Peter Manev</div>
<div>> > > > </div>
<div>> > ></div>
<div>> > > _______________________________________________</div>
<div>> > > Suricata IDS Users mailing list: </div>
<div>> > <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a></div>
<div>> > > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:</div>
<div>> > > <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a></div>
<div>> > > List:</div>
<div>> > > </div>
<div>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></div>
<div>> > ></div>
<div>> > > Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a></div>
<div>> > > Trainings: <a href="https://suricata-ids.org/training/" target="_blank">
https://suricata-ids.org/training/</a></div>
<div>> > --</div>
<div>> > Eric Leblond <<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>></div>
<div>> > </div>
<div>-- </div>
<div>Eric Leblond <<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>></div>
<div> </div>
</div>
</blockquote>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">
https://suricata-ids.org/training/</a></blockquote>
</div>
</div>
</blockquote>
<blockquote type="cite" style="margin-top: 0px;">
<div><span>_______________________________________________</span><br>
<span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a></span><br>
<span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br>
<span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br>
<span></span><br>
<span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br>
<span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div>
</blockquote>
</div>
</div></div></blockquote>
</body></html>