It seems that with the latest version of PF_RING, I'm having
trouble getting the BPF filters to work, at least on RHEL 7.
With normal tcpdump :
% tcpdump -i enp4s0 -nn -c 10 'port 22'
tcpdump: WARNING: enp4s0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:50:00.338419 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.60212: Flags [.], seq 2354062218:2354063678, ack 800994694, win 2380, length 1460
17:50:00.338438 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 652703376:652703456, ack 606406036, win 5657, length 80
17:50:00.338466 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 0, win 255, length 0
17:50:00.338482 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.60212: Flags [.], seq 1460:8760, ack 1, win 2380, length 7300
17:50:00.339772 IP XX.XX.XX.XX.60212 > XX.XX.XX.XX.22: Flags [P.], seq 1:69, ack 32872, win 10519, length 68
17:50:00.339786 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 480:560, ack 1, win 5657, length 80
17:50:00.339789 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 480, win 253, length 0
17:50:00.339953 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 560:640, ack 1, win 5657, length 80
17:50:00.340376 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 640:720, ack 1, win 5657, length 80
17:50:00.340382 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 640, win 252, length 0
10 packets captured
895 packets received by filter
795 packets dropped by kernel
With PF_RING's tcpdump :
% /opt/pf/sbin/tcpdump -i enp4s0 -nn -c 10 'port 22'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:50:05.398683938 IP XX.XX.XX.XX.80 > XX.XX.XX.XX.53190: Flags [.], seq 3437247066:3437255826, ack 3263609792, win 513, length 8760
21:50:05.398703325 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.56136: Flags [.], seq 1570714451:1570725683, ack 3907642189, win 273, length 11232
21:50:05.398712933 IP XX.XX.XX.XX.65125 > XX.XX.XX.XX.80: Flags [.], seq 2597100314:2597101774, ack 535663878, win 63855, length 1460
21:50:05.398721319 IP XX.XX.XX.XX.50271 > XX.XX.XX.XX.59307: Flags [.], seq 1379174102:1379181402, ack 3144835430, win 32768, length 7300
21:50:05.398728562 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.57125: UDP, length 1453
21:50:05.398732652 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.57125: UDP, length 1453
21:50:05.398736106 IP XX.XX.XX.XX.80 > XX.XX.XX.XX.36922: Flags [.], seq 308270661:308272109, ack 565323857, win 2050, options [nop,nop,TS val 2804111279 ecr 225559], length 1448
21:50:05.398739251 IP XX.XX.XX.XX.59307 > XX.XX.XX.XX.50271: Flags [.], ack 4294798264, win 12285, length 0
21:50:05.398740596 IP XX.XX.XX.XX.52813 > XX.XX.XX.XX.80: Flags [.], ack 3304701303, win 11946, options [nop,nop,TS val 1567099780 ecr 576135852,nop,nop,sack 1 {1449:60817}], length 0
21:50:05.398743104 IP XX.XX.XX.XX.52813 > XX.XX.XX.XX.80: Flags [.], ack 1, win 11946, options [nop,nop,TS val 1567099780 ecr 576135852,nop,nop,sack 1 {1449:62265}], length 0
10 packets captured
10 packets received by filter
0 packets dropped by kernel
RH Ver : 3.10.0-327.13.1.el7.x86_64
PF_RING Ver :
PF_RING Version : 6.3.0 (dev:d568ce59908fd0021ec7910b0563db191301e61c)
Total rings : 1
Standard (non DNA/ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
There seems to be an open issue here for the same thing :
https://github.com/ntop/ntopng/issues/343
Any ideas?
--
Jim Hranicky
Data Security Specialist
UF Information Technology
105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
352-273-1341
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
trouble getting the BPF filters to work, at least on RHEL 7.
With normal tcpdump :
% tcpdump -i enp4s0 -nn -c 10 'port 22'
tcpdump: WARNING: enp4s0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:50:00.338419 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.60212: Flags [.], seq 2354062218:2354063678, ack 800994694, win 2380, length 1460
17:50:00.338438 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 652703376:652703456, ack 606406036, win 5657, length 80
17:50:00.338466 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 0, win 255, length 0
17:50:00.338482 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.60212: Flags [.], seq 1460:8760, ack 1, win 2380, length 7300
17:50:00.339772 IP XX.XX.XX.XX.60212 > XX.XX.XX.XX.22: Flags [P.], seq 1:69, ack 32872, win 10519, length 68
17:50:00.339786 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 480:560, ack 1, win 5657, length 80
17:50:00.339789 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 480, win 253, length 0
17:50:00.339953 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 560:640, ack 1, win 5657, length 80
17:50:00.340376 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq 640:720, ack 1, win 5657, length 80
17:50:00.340382 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 640, win 252, length 0
10 packets captured
895 packets received by filter
795 packets dropped by kernel
With PF_RING's tcpdump :
% /opt/pf/sbin/tcpdump -i enp4s0 -nn -c 10 'port 22'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:50:05.398683938 IP XX.XX.XX.XX.80 > XX.XX.XX.XX.53190: Flags [.], seq 3437247066:3437255826, ack 3263609792, win 513, length 8760
21:50:05.398703325 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.56136: Flags [.], seq 1570714451:1570725683, ack 3907642189, win 273, length 11232
21:50:05.398712933 IP XX.XX.XX.XX.65125 > XX.XX.XX.XX.80: Flags [.], seq 2597100314:2597101774, ack 535663878, win 63855, length 1460
21:50:05.398721319 IP XX.XX.XX.XX.50271 > XX.XX.XX.XX.59307: Flags [.], seq 1379174102:1379181402, ack 3144835430, win 32768, length 7300
21:50:05.398728562 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.57125: UDP, length 1453
21:50:05.398732652 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.57125: UDP, length 1453
21:50:05.398736106 IP XX.XX.XX.XX.80 > XX.XX.XX.XX.36922: Flags [.], seq 308270661:308272109, ack 565323857, win 2050, options [nop,nop,TS val 2804111279 ecr 225559], length 1448
21:50:05.398739251 IP XX.XX.XX.XX.59307 > XX.XX.XX.XX.50271: Flags [.], ack 4294798264, win 12285, length 0
21:50:05.398740596 IP XX.XX.XX.XX.52813 > XX.XX.XX.XX.80: Flags [.], ack 3304701303, win 11946, options [nop,nop,TS val 1567099780 ecr 576135852,nop,nop,sack 1 {1449:60817}], length 0
21:50:05.398743104 IP XX.XX.XX.XX.52813 > XX.XX.XX.XX.80: Flags [.], ack 1, win 11946, options [nop,nop,TS val 1567099780 ecr 576135852,nop,nop,sack 1 {1449:62265}], length 0
10 packets captured
10 packets received by filter
0 packets dropped by kernel
RH Ver : 3.10.0-327.13.1.el7.x86_64
PF_RING Ver :
PF_RING Version : 6.3.0 (dev:d568ce59908fd0021ec7910b0563db191301e61c)
Total rings : 1
Standard (non DNA/ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
There seems to be an open issue here for the same thing :
https://github.com/ntop/ntopng/issues/343
Any ideas?
--
Jim Hranicky
Data Security Specialist
UF Information Technology
105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
352-273-1341
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc