Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
nbpf questions
newfire.bw at gmail
Jun 26, 2018, 7:48 PM
Post #1 of 6 (1581 views)
Permalink
Hi all,
The README of ndpf section in github notes that “NOT” cannot be used as
keyword in filter, however, I used “NOT” and the filter is effective in my
test process. I want to know if there is something wrong in the official
documents or I omitted anything in my code.
If the used format of filter is “not host A and not host B and...”, how
many hosts that ndpf could support to filter in maximum? Besides, could you
please tell me if pcap processing speed of PF_RING will be influenced with
the increase of filter length?
Any insight would be helpful.
Re: nbpf questions [ In reply to ]
cardigliano at ntop
Jun 27, 2018, 1:04 AM
Post #2 of 6 (1581 views)
Permalink
Hi Bowen
the nbpf syntax actually supports the not operator, however it depends
on the actual backend (we probably need to extend the guide commenting
more about this). For instance translating the filter into hw rules for offloading
it to the adapter, in most cases it is not possible to use the not operator.
What is your use case/application/card where you are using nbpf?

Regards
Alfredo

> On 27 Jun 2018, at 04:48, Bowen Li <newfire.bw@gmail.com> wrote:
>
> Hi all,
> The README of ndpf section in github notes that “NOT” cannot be used as keyword in filter, however, I used “NOT” and the filter is effective in my test process. I want to know if there is something wrong in the official documents or I omitted anything in my code.
> If the used format of filter is “not host A and not host B and...”, how many hosts that ndpf could support to filter in maximum? Besides, could you please tell me if pcap processing speed of PF_RING will be influenced with the increase of filter length?
> Any insight would be helpful.
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Attached Files:

Re: nbpf questions [ In reply to ]
newfire.bw at gmail
Jun 28, 2018, 12:23 AM
Post #3 of 6 (1579 views)
Permalink
Hi Alfredo
Thanks for replying.
My test environment:
CentOS Linux release 7.2.1511 (Core) 3.10.0-327.13.1.el7.x86_64
Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz
Memory: 128G

PF_RING Version : 7.2.0
(7.2.0-stable:745f567720be0f28385ce923ba9f4957d6fe35cf)
Total rings : 21
Standard (non ZC) Options
Ring slots : 4096
Slot version : 17
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

Ethernet controller: Intel Corporation 82574L Gigabit Network
Connection
Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+
Network Connection (rev 01)

bro ids version 2.5.2

My goal is to use nbpf to shunt traffic from some hosts instead of
catching traffic from specific hosts, so I did the test.
I use two 10G interface on same nic to send traffic from one to another
one(I also do this on 1G nic) using pfsend, bro ids listen the receiving
interface with bpf filter, I use
"cmd_line_bpf_filter" param in bro to pass filter to PF_RING, my test
result is: with format "not host A and not host B and ...", the maximum num
of host
is 466 and it seems that the number of host item has no effect on the
processing speed of PF_RING. Are my test result reliable?

Alfredo Cardigliano <cardigliano@ntop.org> ?2018?6?27??? ??4:05???

> Hi Bowen
> the nbpf syntax actually supports the not operator, however it depends
> on the actual backend (we probably need to extend the guide commenting
> more about this). For instance translating the filter into hw rules for
> offloading
> it to the adapter, in most cases it is not possible to use the not
> operator.
> What is your use case/application/card where you are using nbpf?
>
> Regards
> Alfredo
>
> On 27 Jun 2018, at 04:48, Bowen Li <newfire.bw@gmail.com> wrote:
>
> Hi all,
> The README of ndpf section in github notes that “NOT” cannot be used
> as keyword in filter, however, I used “NOT” and the filter is effective in
> my test process. I want to know if there is something wrong in the official
> documents or I omitted anything in my code.
> If the used format of filter is “not host A and not host B and...”,
> how many hosts that ndpf could support to filter in maximum? Besides, could
> you please tell me if pcap processing speed of PF_RING will be influenced
> with the increase of filter length?
> Any insight would be helpful.
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: nbpf questions [ In reply to ]
cardigliano at ntop
Jun 28, 2018, 12:34 AM
Post #4 of 6 (1579 views)
Permalink
Hi Bowen
said that I am still missing something in your implementation (did you write
custom code using nbpf_parse and nbpf_match ?), your test results could
be reliable if you are checking the processing speed at 1Gbit.

Alfredo

> On 28 Jun 2018, at 09:23, Bowen Li <newfire.bw@gmail.com> wrote:
>
> Hi Alfredo
> Thanks for replying.
> My test environment:
> CentOS Linux release 7.2.1511 (Core) 3.10.0-327.13.1.el7.x86_64
> Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz
> Memory: 128G
>
> PF_RING Version : 7.2.0 (7.2.0-stable:745f567720be0f28385ce923ba9f4957d6fe35cf)
> Total rings : 21
> Standard (non ZC) Options
> Ring slots : 4096
> Slot version : 17
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
>
> Ethernet controller: Intel Corporation 82574L Gigabit Network Connection
> Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
>
> bro ids version 2.5.2
>
> My goal is to use nbpf to shunt traffic from some hosts instead of catching traffic from specific hosts, so I did the test.
> I use two 10G interface on same nic to send traffic from one to another one(I also do this on 1G nic) using pfsend, bro ids listen the receiving interface with bpf filter, I use
> "cmd_line_bpf_filter" param in bro to pass filter to PF_RING, my test result is: with format "not host A and not host B and ...", the maximum num of host
> is 466 and it seems that the number of host item has no effect on the processing speed of PF_RING. Are my test result reliable?
>
> Alfredo Cardigliano <cardigliano@ntop.org <mailto:cardigliano@ntop.org>> ?2018?6?27??? ??4:05???
> Hi Bowen
> the nbpf syntax actually supports the not operator, however it depends
> on the actual backend (we probably need to extend the guide commenting
> more about this). For instance translating the filter into hw rules for offloading
> it to the adapter, in most cases it is not possible to use the not operator.
> What is your use case/application/card where you are using nbpf?
>
> Regards
> Alfredo
>
>> On 27 Jun 2018, at 04:48, Bowen Li <newfire.bw@gmail.com <mailto:newfire.bw@gmail.com>> wrote:
>>
>> Hi all,
>> The README of ndpf section in github notes that “NOT” cannot be used as keyword in filter, however, I used “NOT” and the filter is effective in my test process. I want to know if there is something wrong in the official documents or I omitted anything in my code.
>> If the used format of filter is “not host A and not host B and...”, how many hosts that ndpf could support to filter in maximum? Besides, could you please tell me if pcap processing speed of PF_RING will be influenced with the increase of filter length?
>> Any insight would be helpful.
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>_______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Attached Files:

Re: nbpf questions [ In reply to ]
newfire.bw at gmail
Jun 28, 2018, 7:39 PM
Post #5 of 6 (1579 views)
Permalink
Hi Alfredo
I did not write custom code using nbpf_parse and nbpf_match, I test
nbpf using bro ids with libpcap from PF_RING,
I thin pcap_compile and pcap_setfilter in libpcap from PF_RING uses nbpf by
default, and I find that bpf operation
in libpfring also uses functions in libpcap, am I correct?
Just now I rerun my test under 10Gbit environment, it seems that the
number of host item in bpf string still has no
effect on the processing speed of PF_RING.
What is the main influential factor about the maximum num of host which
could be supported by nbpf in bpf string?

Alfredo Cardigliano <cardigliano@ntop.org> ?2018?6?28??? ??3:34???

> Hi Bowen
> said that I am still missing something in your implementation (did you
> write
> custom code using nbpf_parse and nbpf_match ?), your test results could
> be reliable if you are checking the processing speed at 1Gbit.
>
> Alfredo
>
> On 28 Jun 2018, at 09:23, Bowen Li <newfire.bw@gmail.com> wrote:
>
> Hi Alfredo
> Thanks for replying.
> My test environment:
> CentOS Linux release 7.2.1511 (Core) 3.10.0-327.13.1.el7.x86_64
> Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz
> Memory: 128G
>
> PF_RING Version : 7.2.0
> (7.2.0-stable:745f567720be0f28385ce923ba9f4957d6fe35cf)
> Total rings : 21
> Standard (non ZC) Options
> Ring slots : 4096
> Slot version : 17
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
>
> Ethernet controller: Intel Corporation 82574L Gigabit Network
> Connection
> Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+
> Network Connection (rev 01)
>
> bro ids version 2.5.2
>
> My goal is to use nbpf to shunt traffic from some hosts instead of
> catching traffic from specific hosts, so I did the test.
> I use two 10G interface on same nic to send traffic from one to
> another one(I also do this on 1G nic) using pfsend, bro ids listen the
> receiving interface with bpf filter, I use
> "cmd_line_bpf_filter" param in bro to pass filter to PF_RING, my test
> result is: with format "not host A and not host B and ...", the maximum num
> of host
> is 466 and it seems that the number of host item has no effect on the
> processing speed of PF_RING. Are my test result reliable?
>
> Alfredo Cardigliano <cardigliano@ntop.org> ?2018?6?27??? ??4:05???
>
>> Hi Bowen
>> the nbpf syntax actually supports the not operator, however it depends
>> on the actual backend (we probably need to extend the guide commenting
>> more about this). For instance translating the filter into hw rules for
>> offloading
>> it to the adapter, in most cases it is not possible to use the not
>> operator.
>> What is your use case/application/card where you are using nbpf?
>>
>> Regards
>> Alfredo
>>
>> On 27 Jun 2018, at 04:48, Bowen Li <newfire.bw@gmail.com> wrote:
>>
>> Hi all,
>> The README of ndpf section in github notes that “NOT” cannot be used
>> as keyword in filter, however, I used “NOT” and the filter is effective in
>> my test process. I want to know if there is something wrong in the official
>> documents or I omitted anything in my code.
>> If the used format of filter is “not host A and not host B and...”,
>> how many hosts that ndpf could support to filter in maximum? Besides, could
>> you please tell me if pcap processing speed of PF_RING will be influenced
>> with the increase of filter length?
>> Any insight would be helpful.
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: nbpf questions [ In reply to ]
cardigliano at ntop
Jun 29, 2018, 12:00 AM
Post #6 of 6 (1579 views)
Permalink
HI Bowen
libpcap-over-pfring actually uses standard BPF, unless you are 1. capturing
from an adapter supporting hw filters (in that case pf_ring translates bpf to
hw rules using nbpf, and it uses standard bpf in userspace as fallback), or
2. extracting traffic from a n2disk dumpset with the timeline enabled.

Alfredo

> On 29 Jun 2018, at 04:39, Bowen Li <newfire.bw@gmail.com> wrote:
>
> Hi Alfredo
> I did not write custom code using nbpf_parse and nbpf_match, I test nbpf using bro ids with libpcap from PF_RING,
> I thin pcap_compile and pcap_setfilter in libpcap from PF_RING uses nbpf by default, and I find that bpf operation
> in libpfring also uses functions in libpcap, am I correct?
> Just now I rerun my test under 10Gbit environment, it seems that the number of host item in bpf string still has no
> effect on the processing speed of PF_RING.
> What is the main influential factor about the maximum num of host which could be supported by nbpf in bpf string?
>
> Alfredo Cardigliano <cardigliano@ntop.org <mailto:cardigliano@ntop.org>> ?2018?6?28??? ??3:34???
> Hi Bowen
> said that I am still missing something in your implementation (did you write
> custom code using nbpf_parse and nbpf_match ?), your test results could
> be reliable if you are checking the processing speed at 1Gbit.
>
> Alfredo
>
>> On 28 Jun 2018, at 09:23, Bowen Li <newfire.bw@gmail.com <mailto:newfire.bw@gmail.com>> wrote:
>>
>> Hi Alfredo
>> Thanks for replying.
>> My test environment:
>> CentOS Linux release 7.2.1511 (Core) 3.10.0-327.13.1.el7.x86_64
>> Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz
>> Memory: 128G
>>
>> PF_RING Version : 7.2.0 (7.2.0-stable:745f567720be0f28385ce923ba9f4957d6fe35cf)
>> Total rings : 21
>> Standard (non ZC) Options
>> Ring slots : 4096
>> Slot version : 17
>> Capture TX : Yes [RX+TX]
>> IP Defragment : No
>> Socket Mode : Standard
>> Cluster Fragment Queue : 0
>> Cluster Fragment Discard : 0
>>
>> Ethernet controller: Intel Corporation 82574L Gigabit Network Connection
>> Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
>>
>> bro ids version 2.5.2
>>
>> My goal is to use nbpf to shunt traffic from some hosts instead of catching traffic from specific hosts, so I did the test.
>> I use two 10G interface on same nic to send traffic from one to another one(I also do this on 1G nic) using pfsend, bro ids listen the receiving interface with bpf filter, I use
>> "cmd_line_bpf_filter" param in bro to pass filter to PF_RING, my test result is: with format "not host A and not host B and ...", the maximum num of host
>> is 466 and it seems that the number of host item has no effect on the processing speed of PF_RING. Are my test result reliable?
>>
>> Alfredo Cardigliano <cardigliano@ntop.org <mailto:cardigliano@ntop.org>> ?2018?6?27??? ??4:05???
>> Hi Bowen
>> the nbpf syntax actually supports the not operator, however it depends
>> on the actual backend (we probably need to extend the guide commenting
>> more about this). For instance translating the filter into hw rules for offloading
>> it to the adapter, in most cases it is not possible to use the not operator.
>> What is your use case/application/card where you are using nbpf?
>>
>> Regards
>> Alfredo
>>
>>> On 27 Jun 2018, at 04:48, Bowen Li <newfire.bw@gmail.com <mailto:newfire.bw@gmail.com>> wrote:
>>>
>>> Hi all,
>>> The README of ndpf section in github notes that “NOT” cannot be used as keyword in filter, however, I used “NOT” and the filter is effective in my test process. I want to know if there is something wrong in the official documents or I omitted anything in my code.
>>> If the used format of filter is “not host A and not host B and...”, how many hosts that ndpf could support to filter in maximum? Besides, could you please tell me if pcap processing speed of PF_RING will be influenced with the increase of filter length?
>>> Any insight would be helpful.
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>_______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>_______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal