On 6/7/13 12:48 PM, Alfredo Cardigliano wrote:
Hi Michal
this could be normal in case you have fragments (pf_ring discards fragments
when unable to keep track of the flow, in case of orphan fragments for
instance).
If your network does not have fragments, please send us a pcap and your
configuration in order to reproduce the issue.
If you want to disable fragment handling, you can use the
enable_frag_coherence=0 parameter when insmod'ing pf_ring.ko (this option is
available in svn)
That group of sensors gets (among others) the traffic in front of the
load balancers, which might be fragmented, i suppose.
What's the difference between handling fragments in pf_ring (does it
reassemble them?) and leaving this option off and having it done by
snort? Or am I misunderstanding something?
Thanks for the explanation!
Alfredo
On Jun 7, 2013, at 11:49 AM, Michal Purzynski <[email protected]> wrote:
On 6/6/13 6:40 PM, Alfredo Cardigliano wrote:
Hi Michal
this is a bug we fixed yesterday, we will release a new tarball asap, in the
meantime you can use a previous version or checkout from svn
Cluster Fragment Queue : 361
Cluster Fragment Discard : 108136
09:46:02 up 4 min, 1 user, load average: 14.65, 7.31, 2.90
After updating to the SVN version. Still, the discard isn't at zero.
Best Regards
Alfredo
On Jun 6, 2013, at 4:36 PM, Michal Purzynski <[email protected]> wrote:
Hello,
I've noticed something that wasn't here previously, and now I'm wondering - is it normal
for the counters to have such a high value? Especially the "Cluster Fragment
Discard".
cat /proc/net/pf_ring/info
PF_RING Version : 5.5.3 ($Revision: exported$)
Total rings : 14
Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 2318
Cluster Fragment Discard : 2270689567
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
