Thank you Alfredo. That's what I thought. Let me explain why I don't think my nprobe (compiled with pfring support) is not working as expected. My test is: sudo ~/PF_RING/userland/examples/pfdnacluster_master -i dna0,dna1 -c 10 -n 2 -m 0 -r 0 -s 0
And for consumers: sudo nprobe -T '%ENGINE_ID %ENGINE_TYPE %IN_BYTES %OUT_BYTES %PROTOCOL %IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %DIRECTION %HTTP_HEADER_MSISDN %HTTP_UA %L7_PROTO %HTTP_HOST' -i dnacluster:10 -b 2 -4 2 -P '/home/nrich/flows' sudo nprobe -T '%ENGINE_ID %ENGINE_TYPE %IN_BYTES %OUT_BYTES %PROTOCOL %IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %DIRECTION %HTTP_HEADER_MSISDN %HTTP_UA %L7_PROTO %HTTP_HOST' -i dnacluster:10 -b 2 -4 1 -P '/home/nrich/flows' I've also tried to use dnacluster:10@0 and dnacluster:10@1 instead with same results. The problem is that no flow seems to be created and packets are no further processed: sudo nprobe -T '%ENGINE_ID %ENGINE_TYPE %IN_BYTES %OUT_BYTES %PROTOCOL %IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %DIRECTION %HTTP_HEADER_MSISDN %HTTP_UA %L7_PROTO %HTTP_HOST' -i dnacluster:10 -b 2 -4 2 -P '/home/nrich/flows' [sudo] password for nrich: 19/Feb/2015 09:48:01 [plugin.c:161] No plugins found in ./plugins 19/Feb/2015 09:48:01 [plugin.c:168] Loading plugins [.so] from /usr/lib/nprobe/plugins 19/Feb/2015 09:48:01 [nprobe.c:3783] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ? 19/Feb/2015 09:48:01 [nprobe.c:3786] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ? 19/Feb/2015 09:48:01 [nprobe.c:3846] Welcome to nprobe v.6.15.150218 ($Revision: 3745 $) for x86_64-unknown-linux-gnu with native PF_RING acceleration 19/Feb/2015 09:48:01 [nprobe.c:3874] Tracing enabled 19/Feb/2015 09:48:01 [nprobe.c:3907] Dumping flow files every 60 sec into directory /home/nrich/flows 19/Feb/2015 09:48:01 [nprobe.c:3912] WARNING: -n parameter is missing. 127.0.0.1:2055 will be used. 19/Feb/2015 09:48:01 [nprobe.c:2533] Exporting flows towards 127.0.0.1:2055 using UDP 19/Feb/2015 09:48:01 [util.c:2507] This computer has 4 processor(s) 19/Feb/2015 09:48:01 [util.c:2519] Adding CPU 2 to the CPU affinity set 19/Feb/2015 09:48:01 [util.c:2534] CPU affinity successfully set to 2 19/Feb/2015 09:48:01 [httpPlugin.c:505] HTTP log files will be dumped each 60 seconds or each 10000 lines 19/Feb/2015 09:48:01 [httpPlugin.c:512] Initialized HTTP plugin 19/Feb/2015 09:48:01 [bgpPlugin.c:380] BGP plugin is disabled (--bgp-port has not been specified) 19/Feb/2015 09:48:01 [dbPlugin.c:78] Initializing DB plugin 19/Feb/2015 09:48:01 [plugin.c:225] 3 plugin(s) loaded [3 delete][2 packet]. 19/Feb/2015 09:48:01 [nprobe.c:5721] Welcome to nprobe v.6.15.150218 for x86_64-unknown-linux-gnu 19/Feb/2015 09:48:01 [nprobe.c:4959] Compiling flow templates... 19/Feb/2015 09:48:01 [nprobe.c:4995] Using NetFlow Packet Payload Len: 1472 19/Feb/2015 09:48:01 [plugin.c:745] Scanning plugin HTTP Protocol 19/Feb/2015 09:48:01 [plugin.c:859] Enabling plugin HTTP Protocol 19/Feb/2015 09:48:01 [plugin.c:745] Scanning plugin BGP Update Listener 19/Feb/2015 09:48:01 [plugin.c:745] Scanning plugin MySQL DB 19/Feb/2015 09:48:01 [plugin.c:872] 1 plugin(s) enabled 19/Feb/2015 09:48:01 [nprobe.c:5296] Scanning flow template... 19/Feb/2015 09:48:01 [nprobe.c:5306] Template [id=257] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IN_BYTES [num 1][id 1][4 bytes][total 4 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found PROTOCOL [num 2][id 4][1 bytes][total 5 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_SRC_PORT [num 3][id 7][2 bytes][total 7 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV4_SRC_ADDR [num 4][id 8][4 bytes][total 11 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_DST_PORT [num 5][id 11][2 bytes][total 13 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV4_DST_ADDR [num 6][id 12][4 bytes][total 17 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found OUT_BYTES [num 7][id 23][4 bytes][total 21 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_TYPE [num 8][id 38][1 bytes][total 22 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_ID [num 9][id 39][1 bytes][total 23 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found DIRECTION [num 10][id 61][1 bytes][total 24 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L7_PROTO [num 11][id 118][2 bytes][total 26 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5306] Template [id=258] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IN_BYTES [num 1][id 1][4 bytes][total 4 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found PROTOCOL [num 2][id 4][1 bytes][total 5 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_SRC_PORT [num 3][id 7][2 bytes][total 7 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_DST_PORT [num 4][id 11][2 bytes][total 9 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found OUT_BYTES [num 5][id 23][4 bytes][total 13 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV6_SRC_ADDR [num 6][id 27][16 bytes][total 29 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV6_DST_ADDR [num 7][id 28][16 bytes][total 45 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_TYPE [num 8][id 38][1 bytes][total 46 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_ID [num 9][id 39][1 bytes][total 47 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found DIRECTION [num 10][id 61][1 bytes][total 48 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L7_PROTO [num 11][id 118][2 bytes][total 50 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5306] Template [id=259] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IN_BYTES [num 1][id 1][4 bytes][total 4 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found PROTOCOL [num 2][id 4][1 bytes][total 5 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_SRC_PORT [num 3][id 7][2 bytes][total 7 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV4_SRC_ADDR [num 4][id 8][4 bytes][total 11 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_DST_PORT [num 5][id 11][2 bytes][total 13 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV4_DST_ADDR [num 6][id 12][4 bytes][total 17 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found OUT_BYTES [num 7][id 23][4 bytes][total 21 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_TYPE [num 8][id 38][1 bytes][total 22 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_ID [num 9][id 39][1 bytes][total 23 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found DIRECTION [num 10][id 61][1 bytes][total 24 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L7_PROTO [num 11][id 118][2 bytes][total 26 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found HTTP_UA [num 12][id 183][128 bytes][total 154 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found HTTP_HOST [num 13][id 187][64 bytes][total 218 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found HTTP_HEADER_MSISDN [num 14][id 194][9 bytes][total 227 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5306] Template [id=260] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IN_BYTES [num 1][id 1][4 bytes][total 4 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found PROTOCOL [num 2][id 4][1 bytes][total 5 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_SRC_PORT [num 3][id 7][2 bytes][total 7 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L4_DST_PORT [num 4][id 11][2 bytes][total 9 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found OUT_BYTES [num 5][id 23][4 bytes][total 13 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV6_SRC_ADDR [num 6][id 27][16 bytes][total 29 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found IPV6_DST_ADDR [num 7][id 28][16 bytes][total 45 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_TYPE [num 8][id 38][1 bytes][total 46 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found ENGINE_ID [num 9][id 39][1 bytes][total 47 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found DIRECTION [num 10][id 61][1 bytes][total 48 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found L7_PROTO [num 11][id 118][2 bytes][total 50 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found HTTP_UA [num 12][id 183][128 bytes][total 178 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found HTTP_HOST [num 13][id 187][64 bytes][total 242 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5312] Found HTTP_HEADER_MSISDN [num 14][id 194][9 bytes][total 251 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5336] Scanning option template... 19/Feb/2015 09:48:01 [nprobe.c:5342] Found TOTAL_FLOWS_EXP [id 42][4 bytes][total 4 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5342] Found TOTAL_PKTS_EXP [id 41][4 bytes][total 8 bytes] 19/Feb/2015 09:48:01 [nprobe.c:5370] Each flow is 251 bytes long 19/Feb/2015 09:48:01 [nprobe.c:5371] The # packets per flow has been set to 4 Error Opening file /usr/nprobe/GeoIPASNum.dat 19/Feb/2015 09:48:01 [util.c:310] WARNING: Unable to load AS file /usr/nprobe/GeoIPASNum.dat. AS support disabled Error Opening file /usr/nprobe/GeoIPASNumv6.dat 19/Feb/2015 09:48:01 [util.c:319] WARNING: Unable to load AS IPv6 file /usr/nprobe/GeoIPASNumv6.dat. AS IPv6 support disabled 19/Feb/2015 09:48:01 [nprobe.c:4367] Using packet capture length 1600 19/Feb/2015 09:48:01 [pro/pf_ring.c:316] Successfully open PF_RING v.5.6.0 on device dnacluster:10 [snaplen=1600] 19/Feb/2015 09:48:01 [pro/pf_ring.c:325] Using PF_RING in-kernel accelerated packet parsing 19/Feb/2015 09:48:01 [nprobe.c:5901] The flows hash has 131072 buckets 19/Feb/2015 09:48:01 [nprobe.c:5903] Flows older than 120 seconds will be exported 19/Feb/2015 09:48:01 [nprobe.c:5906] Flows inactive for at least 30 seconds will be exported 19/Feb/2015 09:48:01 [nprobe.c:5909] Expired flows will not be queued for more than 30 seconds 19/Feb/2015 09:48:01 [nprobe.c:5916] Exported flows with engineType 0 and engineId 81 19/Feb/2015 09:48:01 [nprobe.c:5938] TCP TOS will be ignored and set to 0. 19/Feb/2015 09:48:01 [nprobe.c:5943] Flows ASs will not be computed 19/Feb/2015 09:48:01 [nprobe.c:5956] After 1 flow packets are sent, we'll delay at least 1 ms 19/Feb/2015 09:48:01 [nprobe.c:5976] Flows will be emitted in NetFlow 9 format 19/Feb/2015 09:48:01 [nprobe.c:6006] Flow input interface index is set to 0 19/Feb/2015 09:48:01 [nprobe.c:6012] Flow output interface index is set to 0 19/Feb/2015 09:48:01 [util.c:2692] nProbe changed user to 'nobody' 19/Feb/2015 09:48:01 [plugin.c:712] Enabling plugin HTTP Protocol 19/Feb/2015 09:48:01 [plugin.c:708] Disabling plugin BGP Update Listener (no template is using it) 19/Feb/2015 09:48:01 [plugin.c:708] Disabling plugin MySQL DB (no template is using it) 19/Feb/2015 09:48:01 [nprobe.c:6133] Starting 1 packet fetch thread(s) 19/Feb/2015 09:48:01 [pro/pf_ring.c:163] [PF_RING] Reading packets in 1 copy mode 19/Feb/2015 09:48:01 [engine.c:2967] Starting bucket dequeue thread 19/Feb/2015 09:49:32 [pro/pf_ring.c:86] PF_RING stats (Average): 12/0 [0.0 %] pkts rcvd/dropped 19/Feb/2015 09:50:02 [pro/pf_ring.c:86] PF_RING stats (Average): 42/0 [0.0 %] pkts rcvd/dropped 19/Feb/2015 09:50:02 [pro/pf_ring.c:97] PF_RING stats (Current): 30/0 [0.0 %] pkts rcvd/dropped 19/Feb/2015 09:50:32 [pro/pf_ring.c:86] PF_RING stats (Average): 54/0 [0.0 %] pkts rcvd/dropped 19/Feb/2015 09:50:32 [pro/pf_ring.c:97] PF_RING stats (Current): 12/0 [0.0 %] pkts rcvd/droppedЀ No log trace like: 18/Feb/2015 12:53:30 [engine.c:2190] New Flow: [tcp] 172.16.0.167:22 -> 10.34.52.118:53407 [00:00:00:00:00:00 -> 00:00:00:00:00:00][vlan 0][tos 0][ifIdx: 65535 -> 65535][subflowId: 0/0x0000][idx=67032] And no netflow packets exported (Ok, on my test I'm writing flows to disk, but it's the same for udp exported packets). Maybe my problem could be related to my nProbe license. I don't know how to check if my nProbe license has PF_Ring support. Best regards, Manuel Polonio 2015-02-19 10:01 GMT+01:00 Alfredo Cardigliano <[email protected]>: > Hi Manuel > if you want to use DNA the tool you are looking for is pfdnacluster_master > (userland/examples_libzero), > if you want to move to ZC, you can use zbalance_ipc (userland/examples_zc) > > Command line examples with both tools: > > pfdnacluster_master -i dna0,dna1 -c 99 -n 4 > > zbalance_ipc -i zc:eth1,zc:eth2 -c 99 -n 4 -m 1 > > (look at stdout to check the interface name for the nprobe instances) > > Alfredo > > On 19 Feb 2015, at 08:45, Manuel Polonio <[email protected]> > wrote: > > I would want to aggregate traffic from to fiber ports and sent its total > traffic to N different queues to be processed by N nProbe instances. > > I've got an old PF_Ring version (5.6.0) and documentation refers to an > Aggregation software module that I'm not able to find (not even on newer > versions). I've tested some libzero demos on userland/examples > (pfdnacluster_master.c mainly) that seem to be useful. > > Is that the way it is expected to be implemented? > Suggestions on most appropriate hash function to improve nDPI detection > would be highly appreciated. > > I've recompiled nProbe (v.6.15.141015) with PF_Ring support and it indeed > seems to capture packets from dna interface and from dna cluster, but it > doesn't seem to process them. I mean, If I capture from an ethX interface I > see PF_Ring capture log traces and flow log traces, but when capturing from > PF_Ring related interfaces no flow log trace is shown and of course, no > netflow packet emitted. Am I missing something? > > Best regards, > Manuel Polonio > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
