Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
Question regarding filtering using software hash filtering rule
akaduri75 at gmail
Jun 4, 2017, 1:45 AM
Post #1 of 4 (928 views)
Permalink
Hello,

I have a situation where not all of the received packets are counted
as filtered, and I would like to better understand why.
To better understand it, I've done a controlled experiment, where
after the software hash filtering rule was added on a specific
5-tuple, I send exactly 5000 packets on the same 5-tuple. All packets
received by the same ring.
When I look at the ring info file, I see that "Sw Filt Hash Match"
increases by 4955 exactly. (Its the same number whenever I repeat the
experiment on the same filter). Which means 45 packets are not
counted. No other statistics parameter can explain the missing 45
packets, not in the ring info file (e.g. "Sw Filt Hash Miss") and not
by using "ethtool -S" on the interface (although by using ethtool -S I
see that all 5000 packets are definitely received to the NIC).
When looking deeply into the replayed pcap, I see a high correlation
between the number of missing packets (i.e. 45) and the number of
packets that are "TCP Segment of a reassembled PDU" (by wireshark).
My rss rehash set to 1.

Questions:
1. Any explanation for packets that are not counted by "Sw Filt Hash
Match" (and not by any other parameter)?
2. Does the "TCP Segment of a reassembled PDU" could explain it somehow?
3. Could it be a behavioral change compared to previous pf_ring
versions (e.g. 6.0.3)?

Thanks,
Amir
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Question regarding filtering using software hash filtering rule [ In reply to ]
cardigliano at ntop
Jun 4, 2017, 2:29 AM
Post #2 of 4 (928 views)
Permalink
Hi Amir
could you provide a pcap and the commands (baed on our examples) to test what you are doing?

Thank you
Alfredo

> On 4 Jun 2017, at 10:45, Amir Kaduri <akaduri75@gmail.com> wrote:
>
> Hello,
>
> I have a situation where not all of the received packets are counted
> as filtered, and I would like to better understand why.
> To better understand it, I've done a controlled experiment, where
> after the software hash filtering rule was added on a specific
> 5-tuple, I send exactly 5000 packets on the same 5-tuple. All packets
> received by the same ring.
> When I look at the ring info file, I see that "Sw Filt Hash Match"
> increases by 4955 exactly. (Its the same number whenever I repeat the
> experiment on the same filter). Which means 45 packets are not
> counted. No other statistics parameter can explain the missing 45
> packets, not in the ring info file (e.g. "Sw Filt Hash Miss") and not
> by using "ethtool -S" on the interface (although by using ethtool -S I
> see that all 5000 packets are definitely received to the NIC).
> When looking deeply into the replayed pcap, I see a high correlation
> between the number of missing packets (i.e. 45) and the number of
> packets that are "TCP Segment of a reassembled PDU" (by wireshark).
> My rss rehash set to 1.
>
> Questions:
> 1. Any explanation for packets that are not counted by "Sw Filt Hash
> Match" (and not by any other parameter)?
> 2. Does the "TCP Segment of a reassembled PDU" could explain it somehow?
> 3. Could it be a behavioral change compared to previous pf_ring
> versions (e.g. 6.0.3)?
>
> Thanks,
> Amir
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Attached Files:

Re: Question regarding filtering using software hash filtering rule [ In reply to ]
marco at scom
Jun 4, 2017, 2:41 AM
Post #3 of 4 (928 views)
Permalink
Hi,
Have you disabled CPU offload features from the NIC with ethtool?

--- sent from mobile

Em 04/06/2017 09:45, "Amir Kaduri" <akaduri75@gmail.com> escreveu:

> Hello,
>
> I have a situation where not all of the received packets are counted
> as filtered, and I would like to better understand why.
> To better understand it, I've done a controlled experiment, where
> after the software hash filtering rule was added on a specific
> 5-tuple, I send exactly 5000 packets on the same 5-tuple. All packets
> received by the same ring.
> When I look at the ring info file, I see that "Sw Filt Hash Match"
> increases by 4955 exactly. (Its the same number whenever I repeat the
> experiment on the same filter). Which means 45 packets are not
> counted. No other statistics parameter can explain the missing 45
> packets, not in the ring info file (e.g. "Sw Filt Hash Miss") and not
> by using "ethtool -S" on the interface (although by using ethtool -S I
> see that all 5000 packets are definitely received to the NIC).
> When looking deeply into the replayed pcap, I see a high correlation
> between the number of missing packets (i.e. 45) and the number of
> packets that are "TCP Segment of a reassembled PDU" (by wireshark).
> My rss rehash set to 1.
>
> Questions:
> 1. Any explanation for packets that are not counted by "Sw Filt Hash
> Match" (and not by any other parameter)?
> 2. Does the "TCP Segment of a reassembled PDU" could explain it somehow?
> 3. Could it be a behavioral change compared to previous pf_ring
> versions (e.g. 6.0.3)?
>
> Thanks,
> Amir
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
Re: Question regarding filtering using software hash filtering rule [ In reply to ]
akaduri75 at gmail
Jun 5, 2017, 8:19 AM
Post #4 of 4 (919 views)
Permalink
Hi,

Apparently, it was an MTU issue.

Thanks (and sorry)

On Sun, Jun 4, 2017 at 12:29 PM, Alfredo Cardigliano
<cardigliano@ntop.org> wrote:
> Hi Amir
> could you provide a pcap and the commands (baed on our examples) to test what you are doing?
>
> Thank you
> Alfredo
>
>> On 4 Jun 2017, at 10:45, Amir Kaduri <akaduri75@gmail.com> wrote:
>>
>> Hello,
>>
>> I have a situation where not all of the received packets are counted
>> as filtered, and I would like to better understand why.
>> To better understand it, I've done a controlled experiment, where
>> after the software hash filtering rule was added on a specific
>> 5-tuple, I send exactly 5000 packets on the same 5-tuple. All packets
>> received by the same ring.
>> When I look at the ring info file, I see that "Sw Filt Hash Match"
>> increases by 4955 exactly. (Its the same number whenever I repeat the
>> experiment on the same filter). Which means 45 packets are not
>> counted. No other statistics parameter can explain the missing 45
>> packets, not in the ring info file (e.g. "Sw Filt Hash Miss") and not
>> by using "ethtool -S" on the interface (although by using ethtool -S I
>> see that all 5000 packets are definitely received to the NIC).
>> When looking deeply into the replayed pcap, I see a high correlation
>> between the number of missing packets (i.e. 45) and the number of
>> packets that are "TCP Segment of a reassembled PDU" (by wireshark).
>> My rss rehash set to 1.
>>
>> Questions:
>> 1. Any explanation for packets that are not counted by "Sw Filt Hash
>> Match" (and not by any other parameter)?
>> 2. Does the "TCP Segment of a reassembled PDU" could explain it somehow?
>> 3. Could it be a behavioral change compared to previous pf_ring
>> versions (e.g. 6.0.3)?
>>
>> Thanks,
>> Amir
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal