Hi You're right. We need to add it: you can c&p the code from pfcount in the meantime
Luca On Jun 2, 2013, at 1:54 AM, Doug Burks <[email protected]> wrote: > I have pfdump now but I don't see a cluster-id option. Did you mean > pfcount? If I run 2 instances of pfcount with the same cluster-id and > then replay a pcap with 10 packets all belonging to the same TCP > stream, I get 5 packets being sent to each pfcount instance. > Shouldn't all 10 packets be sent to 1 instance? > > First instance: > > sudo ./pfcount -c77 -i eth1 > <snip> > ========================= > Absolute Stats: [5 pkts rcvd][5 pkts filtered][0 pkts dropped] > Total Pkts=5/Dropped=0.0 % > 5 pkts - 434 bytes [0.38 pkt/sec - 0.00 Mbit/sec] > ========================= > Actual Stats: 5 pkts [1'000.75 ms][5.00 pps/0.00 Gbps] > ========================= > > Second instance: > > sudo ./pfcount -c77 -i eth1 > <snip> > ========================= > Absolute Stats: [5 pkts rcvd][5 pkts filtered][0 pkts dropped] > Total Pkts=5/Dropped=0.0 % > 5 pkts - 834 bytes [0.62 pkt/sec - 0.00 Mbit/sec] > ========================= > Actual Stats: 5 pkts [1'001.39 ms][4.99 pps/0.00 Gbps] > ========================= > > The replayed pcap is just ten packets that result from "curl testmyids.com": > > tcpdump -nnr testmyids.pcap > reading from file testmyids.pcap, link-type EN10MB (Ethernet) > 11:46:11.691648 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > [S], seq 3840903154, win 42340, options [mss 1460,sackOK,TS val > 20137183 ecr 0,nop,wscale 11], length 0 > 11:46:11.808833 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > [S.], seq 2859277445, ack 3840903155, win 5840, options [mss > 1460,nop,wscale 7], length 0 > 11:46:11.808854 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > [.], ack 1, win 21, length 0 > 11:46:11.809083 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > [P.], seq 1:166, ack 1, win 21, length 165 > 11:46:11.927518 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > [.], ack 166, win 54, length 0 > 11:46:12.036708 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > [P.], seq 1:260, ack 166, win 54, length 259 > 11:46:12.036956 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > [.], ack 260, win 21, length 0 > 11:46:12.037206 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > [F.], seq 166, ack 260, win 21, length 0 > 11:46:12.154641 IP 217.160.51.31.80 > 192.168.111.111.50154: Flags > [F.], seq 260, ack 167, win 54, length 0 > 11:46:12.154888 IP 192.168.111.111.50154 > 217.160.51.31.80: Flags > [.], ack 261, win 21, length 0 > > Any ideas? > > Thanks, > Doug > > On Sat, Jun 1, 2013 at 5:48 PM, Doug Burks <[email protected]> wrote: >> On Sat, Jun 1, 2013 at 10:24 AM, Luca Deri <[email protected]> wrote: >>> Hi Doug >>> >>> On Jun 1, 2013, at 6:59 AM, Doug Burks <[email protected]> wrote: >>> >>>> Hello all, >>>> >>>> I recently packaged PF_RING 5.5.3 for my Security Onion distro: >>>> http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html >>>> >>>> Perhaps I'm missing something, but I'm seeing some behavior I don't >>>> remember seeing in 5.5.2 or previous versions of PF_RING. >>>> >>>> Here are my testing parameters: >>>> - starting off with a good test, if I run just one instance of snort, >>>> I get an alert from rule 2100498 for EACH time I run "curl >>>> testmyids.com" >>>> - if I increase to two instances of snort with the same cluster-id, I >>>> get NO alerts when running "curl testmyids.com" >>>> - if I set the daq clustermode to 2, I get NO alerts when running >>>> "curl testmyids.com". (Does clustermode default to 2 if not >>>> specified?) >>> yes this is the default >>>> - if I set the daq clustermode to 4, I get an alert for EVERY OTHER >>>> "curl testmyids.com" (if I do 10 curl's, I only get 5 alerts). >>> >>> >>> I am not a snort expert but the default is per IP balancing so it must >>> work, otherwise we have a bug. I suggest you to capture traffic with an app >>> such as pfdump that is cluster aware and see what traffic the app received >> >> Hi Luca, >> >> Thanks for the quick response! >> >> It looks like I'm seeing similar issues with Suricata and Bro, so I >> don't think it's limited to Snort. >> >> What's the recommended way to compile pfdump.c since there is no >> configure and no Makefile in that directory? >> >> Thanks, >> Doug > > > > -- > Doug Burks > http://securityonion.blogspot.com > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
