Hey All,
I am using PF_Ring in order to load balance my network intrusion detection system Bro.
Strangely only 16 Million of my 21 Million packet input are recognized by the PF_RING kernel module.
Nevertheless they end up correctly in the application Bro and can be distributed in terms of load balancing.
Do you have an idea what causes this loss of 5 Million packets? How can I verify that PF_RING is installed correctly?
I use Intel Corporation I350 Gigabit Network Connection as NICs. They work with the igb drivers.
The input rate is 0.5Gb/s = 60k to 80k packets/s and currently I am working without the ZeroCopy drivers
It is verified that all of my 21 Million packets are received by my NIC's driver.
The PF_Ring module itself exists and Bro is running with load balancing.
Looking forward to your response and hope to solve this problem with you. Below you will find more detailed information about my system.
If you need something else let me know.
Best,
Enno
Additional information:
One interesting fact: I cannot run "make" in "PF_RING/userland/examples", because
gcc: error: ../libpcap/libpcap.a: No such file or directory
PF_RING/userland looks like this. Indeed "libpcap" is missing
c++ examples examples_zc fast_bpf go lib libpcap-1.7.4 Makefile snort tcpdump-4.7.4
PF_RING module
[root@slinky-3-4 ~]# cat /proc/net/pf_ring/info
PF_RING Version : 6.5.0 (dev:9e221bc0b91040afee98f3e3c22ce83226f63f3e)
Total rings : 0
Standard (non ZC) Options
Ring slots : 32768
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Used NICs
[rosinger@slinky-3-4 ~]$ lspci | egrep -i --color 'network|ethernet'
02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
02:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
NICs Drivers
[rosinger @slinky-3-4 ~]# ethtool -i eno2
driver: igb
version: 5.2.15-k
firmware-version: 1.61, 0x80000cd5, 1.1067.0
bus-info: 0000:02:00.1
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
Enno Rosinger
Student DualStudy Business Informatics - Application Management
+49 617 22685124 Office
Hewlett-Packard-Straße 1| 61352 Bad Homburg | Germany
enno.rosinger@hpe.com<mailto:enno.rosinger@hpe.com>
[HPE_logoemail]
I am using PF_Ring in order to load balance my network intrusion detection system Bro.
Strangely only 16 Million of my 21 Million packet input are recognized by the PF_RING kernel module.
Nevertheless they end up correctly in the application Bro and can be distributed in terms of load balancing.
Do you have an idea what causes this loss of 5 Million packets? How can I verify that PF_RING is installed correctly?
I use Intel Corporation I350 Gigabit Network Connection as NICs. They work with the igb drivers.
The input rate is 0.5Gb/s = 60k to 80k packets/s and currently I am working without the ZeroCopy drivers
It is verified that all of my 21 Million packets are received by my NIC's driver.
The PF_Ring module itself exists and Bro is running with load balancing.
Looking forward to your response and hope to solve this problem with you. Below you will find more detailed information about my system.
If you need something else let me know.
Best,
Enno
Additional information:
One interesting fact: I cannot run "make" in "PF_RING/userland/examples", because
gcc: error: ../libpcap/libpcap.a: No such file or directory
PF_RING/userland looks like this. Indeed "libpcap" is missing
c++ examples examples_zc fast_bpf go lib libpcap-1.7.4 Makefile snort tcpdump-4.7.4
PF_RING module
[root@slinky-3-4 ~]# cat /proc/net/pf_ring/info
PF_RING Version : 6.5.0 (dev:9e221bc0b91040afee98f3e3c22ce83226f63f3e)
Total rings : 0
Standard (non ZC) Options
Ring slots : 32768
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Used NICs
[rosinger@slinky-3-4 ~]$ lspci | egrep -i --color 'network|ethernet'
02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
02:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
NICs Drivers
[rosinger @slinky-3-4 ~]# ethtool -i eno2
driver: igb
version: 5.2.15-k
firmware-version: 1.61, 0x80000cd5, 1.1067.0
bus-info: 0000:02:00.1
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
Enno Rosinger
Student DualStudy Business Informatics - Application Management
+49 617 22685124 Office
Hewlett-Packard-Straße 1| 61352 Bad Homburg | Germany
enno.rosinger@hpe.com<mailto:enno.rosinger@hpe.com>
[HPE_logoemail]
Attached Files:
-
image001.png (5.58 KB)
