Luca, in regards to this, I found your paper from 2010 :
http://luca.ntop.org/nema2010.pdf According to that, we can shove in rules directly with an echo:
"+(1,-1,tcp,
192.168.0.10,25,0.0.0.0,0)" > /proc/net/pf_ring/eth3/rules''
Based on that, if I want to dump the traffic across the board, couldn't I do
+(${ruleid),-1,0.0.0.0,443,0.0.0.0,0"
And dump that to my interfaces? From what I read, it supports ip/netmask options as well, based on
(from paper)
FD filters are expressed as <slot id,
VLAN, protocol, ip netmask/port src, ip netmask/port
dst, target RX queue id>. Currently all configured filters must have
the same mask defined in 82599.
---
Thanks! I had not seen your paper until this morning when I was googling some more on this topic.
-----Original Message-----
From: Clark, Erik J
Sent: Thursday, March 31, 2016 9:06 AM
To: 'ntop-misc@listgateway.unipi.it'
Subject: RE: Ntop-misc Digest, Vol 141, Issue 15
Message: 2
Date: Wed, 30 Mar 2016 23:23:15 +0200
From: Luca Deri <deri@ntop.org>
To: ntop-misc@listgateway.unipi.it
Subject: Re: [Ntop-misc] pf_ring hardware filter question
Message-ID: <196B3D33-566B-421B-BEBC-2BF343661E1D@ntop.org>
Content-Type: text/plain; charset="us-ascii"
Chris
you can set rules via the PF_RING API: did you see
http://redirect.state.sbu/?url=https://github.com/ntop/PF_RING/blob/dev/userland/examples/pffilter_test.c ?
Regards Luca
> On 30 Mar 2016, at 21:12, Clark, Erik J <ClarkEJ1@state.gov> wrote:
>
> All;
> I am trying to filter out tcp and udp traffic at the kernel level
> via pf_ring, but can not find any documentation as to how to actually
> craft a rule, or how you would make one persist. The only reference I
> can find is to
>
> /proc/net/pf_ring/dev/${interface}/rules
>
> Which would not be persistent. If I wanted to filter out all tcp 443 traffic before handing it off to the application layer, say for Snort or Bro, how do I do that at the pf_ring level persistently? Thanks much!
>
> Erik
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
Unfortunately, I haven't written any C in about 18 years. Even then, I was never very good at it. On top of that, I can't even seem to understand what is going on in the file. There is a section where it says it is dropping everything but icmp, but there is nothing saying that outright, except a reference to rule.rule_id =5, which is as clear as mud.
So, is the short answer there is no way to use something like ethtool to set pf_ring filters? From:
http://ossectools.blogspot.com/2012/10/multi-node-bro-cluster-setup-howto.html I can see that bpf filters can be associated with the devices some how (specifically (ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0)
I can not find any documentation on how to set bpf filters, or pf_ring parameters with something like a shell script or a tool like ethtool. Is this just not possible?
Erik
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc