[Ntop-dev] PF_RING trunk broken?

Thu, 19 Jul 2007 01:34:17 -0700 

Hi,

I'm trying to use PF_RING trunk with linux 2.6.16.29, and I encountered
two issues:


1. Fallback mode of libpcap on unpatched kernels does not work.

If I run tcpdump linked against a libpcap 0.9.4 patched with PF_RING
trunk patches on a 2.6.16.29 kernel I get the following output:

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
-8:-59:-36.3085886112 IP 137.226.18.45 > 137.226.18.4: ICMP echo
request, id 56183, seq 1, length 64
-8:-59:-36.3085886112 IP 137.226.18.4 > 137.226.18.45: ICMP echo reply,
id 56183, seq 1, length 64

Timestamps seem to be messed up.
Furthermore, writing a dump file and reading it afterwards does not work:

[EMAIL PROTECTED]:~ $ sudo tcpdump -vv -pni eth0 -w /tmp/blub.dump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
137 packets captured
274 packets received by filter
0 packets dropped by kernel

[EMAIL PROTECTED]:~ $ sudo tcpdump -r /tmp/blub.dump
reading from file /tmp/blub.dump, link-type EN10MB (Ethernet)
tcpdump: pcap_loop: bogus savefile header


2. Receiving packets are always captured twice

Same setup but with PF_RING patches build kernel.
Every incoming packet is captured twice in tcpdump. It even has the same
timestamp!
I also tried pcount, and its the same.

[EMAIL PROTECTED]:~/PF_RING/userland/libpcap-0.9.4-ring $ sudo tcpdump
-X -pni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:21:07.513938 IP 137.226.18.34 > 137.226.18.4: ICMP echo request, id
41487, seq 1, length 64
        0x0000:  4500 0054 0000 4000 4001 02bf 89e2 1222  [EMAIL 
PROTECTED]@......"
        0x0010:  89e2 1204 0800 2791 a20f 0001 f33d 9e46  ......'......=.F
        0x0020:  aad6 0700 0809 0a0b 0c0d 0e0f 1011 1213  ................
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435                                     45
18:21:07.514248 IP 137.226.18.4 > 137.226.18.34: ICMP echo reply, id
41487, seq 1, length 64
        0x0000:  4500 0054 b739 0000 4001 8b85 89e2 1204  [EMAIL PROTECTED]
        0x0010:  89e2 1222 0000 2f91 a20f 0001 f33d 9e46  ..."../......=.F
        0x0020:  aad6 0700 0809 0a0b 0c0d 0e0f 1011 1213  ................
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435                                     45
18:21:07.514248 IP 137.226.18.4 > 137.226.18.34: ICMP echo reply, id
41487, seq 1, length 64
        0x0000:  4500 0054 b739 0000 4001 8b85 89e2 1204  [EMAIL PROTECTED]
        0x0010:  89e2 1222 0000 2f91 a20f 0001 f33d 9e46  ..."../......=.F
        0x0020:  aad6 0700 0809 0a0b 0c0d 0e0f 1011 1213  ................
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435


Best regards,
Arnd



_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev

Reply via email to