Hi Alfredo
Thanks for replying.
My test environment:
CentOS Linux release 7.2.1511 (Core) 3.10.0-327.13.1.el7.x86_64
Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz
Memory: 128G
PF_RING Version : 7.2.0
(7.2.0-stable:745f567720be0f28385ce923ba9f4957d6fe35cf)
Total rings : 21
Standard (non ZC) Options
Ring slots : 4096
Slot version : 17
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Ethernet controller: Intel Corporation 82574L Gigabit Network
Connection
Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+
Network Connection (rev 01)
bro ids version 2.5.2
My goal is to use nbpf to shunt traffic from some hosts instead of
catching traffic from specific hosts, so I did the test.
I use two 10G interface on same nic to send traffic from one to another
one(I also do this on 1G nic) using pfsend, bro ids listen the receiving
interface with bpf filter, I use
"cmd_line_bpf_filter" param in bro to pass filter to PF_RING, my test
result is: with format "not host A and not host B and ...", the maximum num
of host
is 466 and it seems that the number of host item has no effect on the
processing speed of PF_RING. Are my test result reliable?
Alfredo Cardigliano <cardigliano@ntop.org> ?2018?6?27??? ??4:05???
> Hi Bowen
> the nbpf syntax actually supports the not operator, however it depends
> on the actual backend (we probably need to extend the guide commenting
> more about this). For instance translating the filter into hw rules for
> offloading
> it to the adapter, in most cases it is not possible to use the not
> operator.
> What is your use case/application/card where you are using nbpf?
>
> Regards
> Alfredo
>
> On 27 Jun 2018, at 04:48, Bowen Li <newfire.bw@gmail.com> wrote:
>
> Hi all,
> The README of ndpf section in github notes that “NOT” cannot be used
> as keyword in filter, however, I used “NOT” and the filter is effective in
> my test process. I want to know if there is something wrong in the official
> documents or I omitted anything in my code.
> If the used format of filter is “not host A and not host B and...”,
> how many hosts that ndpf could support to filter in maximum? Besides, could
> you please tell me if pcap processing speed of PF_RING will be influenced
> with the increase of filter length?
> Any insight would be helpful.
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc