Re: PF_Ring and ntop

[Y M <snort () outlook com>]

Avoid the igb-5.1.5 driver as there are known issues compiling it, which have been addressed in igb-5.2.5. They should 
be under the zc drivers and not the non-zc ones.

Sent from Mobile
________________________________
From: Mike Miller<mailto:mike () millertwinracing com>
Sent: ‎6/‎21/‎2014 12:14 AM
To: Y M<mailto:snort () outlook com>
Cc: Miller, Mike<mailto:mike.j.miller () ihs com>; snort-users<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] PF_Ring and ntop

They're the drivers that come with the following Source Tree:
https://github.com/xtao/PF_RING

I've tried the DNC branch (which may be the problem), I'll retry with the
PF_RING_aware branch ( PF_RING_aware/intel/igb ) and leave DNA out of it.




On Fri, Jun 20, 2014 at 11:09 AM, Y M <snort () outlook com> wrote:

>  Hi Mike,
>
> Are you using the PF_RING-aware NIC drivers for your HP? What
> transparent_mode are you running the PF_RING kernel with?
>
> I wouldn't be able to provide statistical data for the performance among
> the different parts, but here is what I know. The PF_RING DAQ works is an
> added DAQ module to Snort's own DAQ library. So now DAQ speaks PF_RING
> (PF_RING-aware libpcap/kernel). PF_RING zc from what I understood from the
> documentation is the successor of libzero/DNA implementing zero-copy
> operations which requires a license if you want to run the zc mode
> (prefixing with zc:). Here is a good article explaining zero-copy:
> http://www.ibm.com/developerworks/library/j-zerocopy/
>
> Recently I came to know that you can use the zc drivers in standard mode
> (without prefixing with zc:), which does not require a license. I am in the
> middle of building a new box in which I will be using the zc drivers in
> standard mode. We also have a very modest box with PF_RING running two
> Snort instances (which is nothing) with around 7000+ rules and it is
> performing very nicely with PF_RING.
>
> This is by all means does not an answer your question but hope it helps.
>
> YM
>
> ------------------------------
> From: Mike.J.Miller () ihs com
> To: snort-users () lists sourceforge net
> Date: Thu, 19 Jun 2014 12:48:12 -0600
> Subject: [Snort-users] PF_Ring and ntop
>
>
> I’m muddling through the documentation for PF_Ring and am making some
> headway, but am wondering about how things work these days…I’ve got HP
> DL380G8 servers with intel NICs and I’m pretty sure I’ve got PF_Ring
> compiled and loaded correctly. TCPdump in the userland tree works better
> than the TCPdump in the search path, and zcount in the examples_zc folder
> works.
>
>
>
> I know there’s different levels of performance improvement to be had in
> using PF_Ring, PF_Ring DAQ, libzero and PF_Ring ZC, I’m just not sure
> what’s available without purchasing the license from the ntop folks (which
> I’d like to do, but my purse strings have been cut)
>
>
>
> What I really need is the ability to us the ring buffer features to run
> multiple snort threads, a Single snort instance is easily capping out a
> single thread, but the 1g nic is only running around 25% utilization. (and
> snort’s using 7400 rules)
>
>
>
>
>
> *PLEASE NOTE EMAIL, ADDRESS  THERE ARE MULTIPLE MIKE MILLERS AT IHS!*
>
> [image: ihs.com] <http://www.ihs.com/>
>
> [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif]
>
> [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif]
>
> [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif]
>
> *Mike J. Miller*
> Principal Engineer
> Computer Security Incident Response Team
> 15 Inverness Way East | Englewood, Co 80112
> Phone: 303-858-6927 | Mobile: 720-326-1542
> mike.j.miller () ihs com
> ------------------------------
>
> This email message is for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies of the original message. Thank you.
>
> þ Please consider the environment before printing this e-mail.
>
>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems Open Source.
> Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for
> Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
> _______________________________________________ Snort-users mailing list
> Snort-users () lists sourceforge net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!