[Ntop] Corrupted packets captured with PF_RING

Thu, 19 Apr 2007 02:58:45 -0700 

Hi,
we have a problem with PF_RING 3.2.1 on Linux 2.6.19.2. First 62 bytes of each packet are captured correctly. The rest of packet is corrupted. The problem does not depend on packet size or bucket_len. 


For instance, the following is comparison of tcpdump without PF_RING and 
with PF_RING for UDP packet that includes increasing bytes in payload (00, 
01, 02, etc.):


Without PF_RING:

# tcpdump -s 128 -n -XX -i eth2
tcpdump: WARNING: eth2: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 128 bytes
23:57:26.102231 IP 0.0.0.0.63 > 0.0.0.0.63: UDP, length 82
        0x0000:  0001 0500 0100 0001 0500 0000 0800 4500  ..............E.
        0x0010:  006e 0000 0000 4011 7a80 0000 0000 0000  [EMAIL PROTECTED]
        0x0020:  0000 003f 003f 005a 9025 0001 0203 0405  ...?.?.Z.%......
        0x0030:  0607 0809 0a0b 0c0d 0e0f 1011 1213 1415  ................
        0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425  ...........!"#$%
        0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435  &'()*+,-./012345
        0x0060:  3637 3839 3a3b 3c3d 3e3f 4041 4243 4445  6789:;<=>[EMAIL 
PROTECTED]
        0x0070:  4647 4849 4a4b 4c4d 4e4f 5051            FGHIJKLMNOPQ

With PF_RING:

# ./tcpdump -s 128 -XXX  -n -i eth2
Open HAVE_PF_RING(eth2)
tcpdump: WARNING: eth2: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 128 bytes
23:57:26.102231 IP 0.0.0.0.63 > 0.0.0.0.63: UDP, length 82
        0x0000:  0001 0500 0100 0001 0500 0000 0800 4500  ..............E.
        0x0010:  006e 0000 0000 4011 7a80 0000 0000 0000  [EMAIL PROTECTED]
        0x0020:  0000 003f 003f 005a 9025 0001 0203 0405  ...?.?.Z.%......
        0x0030:  0607 0809 0a0b 0c0d 0e0f 1011 1213 a128  ...............(
        0x0040:  834f 5503 068a 8b5b 7a77 502d c924 4a24  .OU....[zwP-.$J$
        0x0050:  6a57 1c4d d1a9 debc 68b9 f21b 3ec5 7533  jW.M....h...>.u3
        0x0060:  da77 ae55 7152 0100 0000 0600 0000 0100  .w.UqR..........
        0x0070:  0000 0100 0000 0000 0000 0000

More information about PF_RING:

# dmesg
...
Welcome to PF_RING 3.2.1
(C) 2004-06 L.Deri <[EMAIL PROTECTED]>
NET: Registered protocol family 27
PF_RING: bucket length    128 bytes
PF_RING: ring slots       4096
PF_RING: sample rate      1 [1=no sampling]
PF_RING: capture TX       No [RX only]
PF_RING: transparent mode Yes
PF_RING initialized correctly.
PF_RING: registered /proc/net/pf_ring/

Did anybody experience a similar problem?

Regards,

Sven
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop






















					Reply via email to