Hi Doug see inline On 05 Aug 2014, at 17:57, Doug Burks <[email protected]> wrote:
> Hi Alfredo, > > I've packaged PF_RING 6.0.1 in hopes of supporting Ubuntu's newer > Hardware Enablement Stack which includes Linux kernel 3.13. I just > happened to come across this thread. A few questions: > > - any idea when the next stable version (6.0.2) will be released? Probably mid/late september > - can you provide more detail about the fixes in svn? Were the fixes > just in the kernel module itself? Can I safely update the kernel > module component and keep the rest of my packages the same? Since we changed some data structures shared between kernel and userspace, you should update everything. We will provide the changelog with the next release. Alfredo > > Thanks, > Doug > > On Tue, Jul 22, 2014 at 10:50 AM, Alfredo Cardigliano > <[email protected]> wrote: >> Hi Jason >> the code in svn contains some fixes for kernel 3.13, thus I cannot tell you >> 6.0.1 supports kernel 3.13. >> >> Alfredo >> >> On 20 Jul 2014, at 19:25, dn1nj4 <[email protected]> wrote: >> >>> Hey Alfredo, >>> >>> I did not. I generally avoid delopying code in production that has not >>> been released as Stable. So does 6.0.1 Stable not support Kernel 3.13? >>> >>> Thanks! >>> Jason >>> >>>> Date: Fri, 18 Jul 2014 17:35:09 +0200 >>>> From: Alfredo Cardigliano <[email protected]> >>>> To: [email protected] >>>> Subject: Re: [Ntop-misc] PF_RING 6.0.1/Linux Kernel 3.13 Problems >>>> Message-ID: <[email protected]> >>>> Content-Type: text/plain; charset=us-ascii >>>> >>>> Hi Jason >>>> code from SVN should support 3.13, did you try updating from SVN? >>>> >>>> Alfredo >>>> >>>>> On 18 Jul 2014, at 15:21, Jason <[email protected]> wrote: >>>>> >>>>> Hello all, >>>>> >>>>> Yesterday I upgraded a number of my systems to the Linux 3.13 kernel and >>>>> PF-RING from 5.6.2 to 6.0.1. I have encountered several significant >>>>> problems after the upgrades. >>>>> >>>>> First, one of my systems which was collecting around 900Mbps began >>>>> recording only 1Mbps. Rolling back just the PF_RING 5.6.2 kernel module >>>>> (compiled against the 3.13 kernel) fixed this problem and capture levels >>>>> returned to normal. >>>>> >>>>> Second, a different system running several capture processes is recording >>>>> packets filtered with "port 25" as ethernet packets only. It appears as >>>>> though the IP and TCP headers are being stripped, but the ethernet and >>>>> tcp payload are being stored. The only way I was able to get this >>>>> working again was to roll back to an old 3.2 kernel, the PF_RING 5.6.2 >>>>> kernel module AND the the PF_RING libpcap library. This behavior >>>>> appeared with every packet capture tool I tried (snort, tcpdump, bro, >>>>> etc). >>>>> >>>>> Is the 3.13 linux kernel officially supported? Is there something else >>>>> that might cause these strange errors? >>>>> >>>>> In all cases I was running transparent mode 0 with the vanilla NIC >>>>> drivers. >>>>> >>>>> Thanks in advance, >>>>> Jason >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> >>>> >>>> >>>> ------------------------------ >>>> >>>> Message: 5 >>>> Date: Fri, 18 Jul 2014 15:50:29 +0000 >>>> From: Mike Patterson <[email protected]> >>>> To: "<[email protected]>" >>>> <[email protected]> >>>> Subject: Re: [Ntop-misc] Snort, DNA DAQ, bpf >>>> Message-ID: <[email protected]> >>>> Content-Type: text/plain; charset="Windows-1252" >>>> >>>> Oh! Sorry, I didn't understand what you were asking. Will follow up, yeah. >>>> >>>> thanks! >>>> >>>> Mike >>>> >>>>> On Jul 18, 2014, at 11:39, "Alfredo Cardigliano" <[email protected]> >>>>> wrote: >>>>> >>>>> Hi Mike >>>>> as I said, if it is possible please provide us access to your machine >>>>> (feel free to contact me directly) >>>>> >>>>> Alfredo >>>>> >>>>>> On 16 Jul 2014, at 19:25, Mike Patterson <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Sure, just let me know what I should do and I?ll do it. :) The sooner I >>>>>> can fix this, the sooner I can release my older hardware to do other >>>>>> things. >>>>>> >>>>>> Mike >>>>>> >>>>>>> On Jul 16, 2014, at 12:47 PM, Alfredo Cardigliano >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> Hi Mike >>>>>>> bpf support in the daq-dna is available since r2679, so it is supposed >>>>>>> to work with your version. >>>>>>> Do we have a chance to debug this on your machine? >>>>>>> >>>>>>> Alfredo >>>>>>> >>>>>>>> On 16 Jul 2014, at 17:51, Mike Patterson <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> On my previous Snort sensor, built on an Endace DAG, I had a BPF for >>>>>>>> Snort to exclude certain types of traffic. The BPF worked fine; Snort >>>>>>>> 2.9.5.1 and some previous versions. >>>>>>>> >>>>>>>> When I changed my Snort sensor to an X520 + PF_RING / DNA, that BPF >>>>>>>> stopped working. I can tell that Snort is loading it - it says as much >>>>>>>> in syslog - but it will still happily alert on traffic matching those >>>>>>>> exclusions. >>>>>>>> >>>>>>>> I?ve tried various iterations (I posted more detail on the snort-users >>>>>>>> list if anybody wants to look, or I can re-paste it here), but >>>>>>>> succinctly: >>>>>>>> >>>>>>>> 1) I don?t think it?s Snort itself - it did work on my previous >>>>>>>> platform. I tried differing versions of Snort just to be sure - >>>>>>>> 2.9.5.1, 2.9.6.0, 2.9.6.1. >>>>>>>> >>>>>>>> 2) I built tcpdump from the PF_RING distribution, and handed it the >>>>>>>> same BPF - it worked just fine, or at least, tcpdump didn?t complain >>>>>>>> about the BPF. I did a trivial test: >>>>>>>> tcpdump -i dna1@0 -n -w test.lpc not net 10.0.0.1/24 >>>>>>>> tcpdump -r test.lpc net 10.0.0.1/24 >>>>>>>> and got the expected output (nothing). So I *think* that this means >>>>>>>> libpcap (also built from PF_RING distribution) is fine. >>>>>>>> >>>>>>>> 3) Following the advice and some other troubleshooting on snort-users, >>>>>>>> I verified that I?m not seeing this traffic as a result of GRE >>>>>>>> tunnelling or VLAN tags. >>>>>>>> >>>>>>>> Versions: >>>>>>>> PF_RING 6.0.1 >>>>>>>> pfring-daq-module-dna_r2795 (I?d also tried >>>>>>>> pfring-daq-module-dna_r2521) >>>>>>>> >>>>>>>> The Intel-based machine is not yet in production, so I can fairly >>>>>>>> easily try anything people might suggest. >>>>>>>> >>>>>>>> Other details of my environment: >>>>>>>> RHEL 6.5 >>>>>>>> Intel X520 NIC: >>>>>>>> 06:00.1 Ethernet controller: Intel Corporation Ethernet 10G 2P X520 >>>>>>>> Adapter (rev 01) >>>>>>>> >>>>>>>> /proc/net/pf_ring/info is: >>>>>>>> PF_RING Version : 6.0.1 ($Revision: exported$) >>>>>>>> Total rings : 0 >>>>>>>> >>>>>>>> Standard (non DNA) Options >>>>>>>> Ring slots : 16384 >>>>>>>> Slot version : 15 >>>>>>>> Capture TX : No [RX only] >>>>>>>> IP Defragment : Yes >>>>>>>> Socket Mode : Standard >>>>>>>> Transparent mode : No [mode 2] >>>>>>>> Total plugins : 0 >>>>>>>> Cluster Fragment Queue : 0 >>>>>>>> Cluster Fragment Discard : 0 >>>>>>>> >>>>>>>> The X520 plugs into a tool port on an Arista 7150S. The DAG plugs into >>>>>>>> another tool port on the same switch; both tool ports are in the same >>>>>>>> aggregation group, so they should be getting identical data. >>>>>>>> >>>>>>>> I *do* have the option of applying the BPF on the Arista switch >>>>>>>> itself, although I?d rather avoid that if I can. >>>>>>>> >>>>>>>> Thanks in advance for any advice/debugging suggestions/etc. >>>>>>>> >>>>>>>> Mike >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop-misc mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop-misc mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>> >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> >>>> >>>> ------------------------------ >>>> >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> >>>> >>>> End of Ntop-misc Digest, Vol 121, Issue 17 >>>> ****************************************** >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > -- > Doug Burks > Need Security Onion Training or Commercial Support? > http://securityonionsolutions.com > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
