[Oisf-devel] PF_RING missing alerts that PF_RING-enabled libpcap matches

[Will Metcalf]

We set the application name in suricata.  It's a PF_RING API call. I'm
guessing libpcap doesn't do this?

On Wed, Jul 27, 2011 at 4:54 PM, Chris Wakelin
<c.d.wakelin at reading.ac.uk> wrote:
> Yes, it is the PF_RING enabled libpcap. I've not tried without, though I
> assume it works! One odd thing though is with PF_RING runmodes I have
>
> /proc/net/pf_ring/<pid>-eth2.xxx (before sending any packets):
>
> Bound Device       : eth2
> Slot Version       : 13 [4.7.1]
> Active             : 1
> Breed              : Non-DNA
> Sampling Rate      : 1
> Capture Direction  : RX+TX
> Appl. Name         : Suricata
> IP Defragment      : No
> BPF Filtering      : Disabled
> # Sw Filt. Rules   : 0
> # Hw Filt. Rules   : 0
> Cluster Id         : 0
> Channel Id         : -1
> Min Num Slots      : 4982
> Poll Pkt Watermark : 128
> Bucket Len         : 1514
> Slot Len           : 1682 [bucket+header]
> Tot Memory         : 8388608
> Num Poll Calls     : 29
> Tot Packets        : 0
> Tot Pkt Lost       : 0
> Tot Insert         : 0
> Tot Read           : 0
> Insert Offset      : 0
> Remove Offset      : 0
> Tot Fwd Ok         : 0
> Tot Fwd Errors     : 0
> Num Free Slots     : 4982
>
> and with libpcap I get the same but:
>
> Appl. Name         : <unknown>
> Min Num Slots      : 4970
> Poll Pkt Watermark : 1
> Bucket Len         : 1518
> Slot Len           : 1686 [bucket+header]
> Tot Memory         : 8388608
> Num Poll Calls     : 33
> Num Free Slots     : 4970
>
> Appl. Name <unknown> and differing number of Poll Calls, I guess is
> expected, depending on how many seconds it took me to switch windows :)
>
> Best Wishes,
> Chris
>
> On 27/07/2011 20:33, Will Metcalf wrote:
>> Chris
>>
>> Just curious if you build this against PF_RING enabled libpcap do you
>> see the same behavior?
>>
>> Regards,
>>
>> Will
>