[Oisf-devel] PF_RING missing alerts that PF_RING-enabled libpcap matches
Chris Wakelin
c.d.wakelin at reading.ac.uk
Wed Jul 27 21:54:08 UTC 2011
Yes, it is the PF_RING enabled libpcap. I've not tried without, though I
assume it works! One odd thing though is with PF_RING runmodes I have
/proc/net/pf_ring/<pid>-eth2.xxx (before sending any packets):
Bound Device : eth2
Slot Version : 13 [4.7.1]
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX+TX
Appl. Name : Suricata
IP Defragment : No
BPF Filtering : Disabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0
Cluster Id : 0
Channel Id : -1
Min Num Slots : 4982
Poll Pkt Watermark : 128
Bucket Len : 1514
Slot Len : 1682 [bucket+header]
Tot Memory : 8388608
Num Poll Calls : 29
Tot Packets : 0
Tot Pkt Lost : 0
Tot Insert : 0
Tot Read : 0
Insert Offset : 0
Remove Offset : 0
Tot Fwd Ok : 0
Tot Fwd Errors : 0
Num Free Slots : 4982
and with libpcap I get the same but:
Appl. Name : <unknown>
Min Num Slots : 4970
Poll Pkt Watermark : 1
Bucket Len : 1518
Slot Len : 1686 [bucket+header]
Tot Memory : 8388608
Num Poll Calls : 33
Num Free Slots : 4970
Appl. Name <unknown> and differing number of Poll Calls, I guess is
expected, depending on how many seconds it took me to switch windows :)
Best Wishes,
Chris
On 27/07/2011 20:33, Will Metcalf wrote:
> Chris
>
> Just curious if you build this against PF_RING enabled libpcap do you
> see the same behavior?
>
> Regards,
>
> Will
More information about the Oisf-devel
mailing list