Snort mailing list archives
Re: PF_Ring and ntop
From: Y M <snort () outlook com>
Date: Sat, 21 Jun 2014 00:40:24 +0300
Avoid the igb-5.1.5 driver as there are known issues compiling it, which have been addressed in igb-5.2.5. They should be under the zc drivers and not the non-zc ones. Sent from Mobile ________________________________ From: Mike Miller<mailto:mike () millertwinracing com> Sent: 6/21/2014 12:14 AM To: Y M<mailto:snort () outlook com> Cc: Miller, Mike<mailto:mike.j.miller () ihs com>; snort-users<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] PF_Ring and ntop They're the drivers that come with the following Source Tree: https://github.com/xtao/PF_RING I've tried the DNC branch (which may be the problem), I'll retry with the PF_RING_aware branch ( PF_RING_aware/intel/igb ) and leave DNA out of it. On Fri, Jun 20, 2014 at 11:09 AM, Y M <snort () outlook com> wrote:
Hi Mike, Are you using the PF_RING-aware NIC drivers for your HP? What transparent_mode are you running the PF_RING kernel with? I wouldn't be able to provide statistical data for the performance among the different parts, but here is what I know. The PF_RING DAQ works is an added DAQ module to Snort's own DAQ library. So now DAQ speaks PF_RING (PF_RING-aware libpcap/kernel). PF_RING zc from what I understood from the documentation is the successor of libzero/DNA implementing zero-copy operations which requires a license if you want to run the zc mode (prefixing with zc:). Here is a good article explaining zero-copy: http://www.ibm.com/developerworks/library/j-zerocopy/ Recently I came to know that you can use the zc drivers in standard mode (without prefixing with zc:), which does not require a license. I am in the middle of building a new box in which I will be using the zc drivers in standard mode. We also have a very modest box with PF_RING running two Snort instances (which is nothing) with around 7000+ rules and it is performing very nicely with PF_RING. This is by all means does not an answer your question but hope it helps. YM ------------------------------ From: Mike.J.Miller () ihs com To: snort-users () lists sourceforge net Date: Thu, 19 Jun 2014 12:48:12 -0600 Subject: [Snort-users] PF_Ring and ntop I’m muddling through the documentation for PF_Ring and am making some headway, but am wondering about how things work these days…I’ve got HP DL380G8 servers with intel NICs and I’m pretty sure I’ve got PF_Ring compiled and loaded correctly. TCPdump in the userland tree works better than the TCPdump in the search path, and zcount in the examples_zc folder works. I know there’s different levels of performance improvement to be had in using PF_Ring, PF_Ring DAQ, libzero and PF_Ring ZC, I’m just not sure what’s available without purchasing the license from the ntop folks (which I’d like to do, but my purse strings have been cut) What I really need is the ability to us the ring buffer features to run multiple snort threads, a Single snort instance is easily capping out a single thread, but the 1g nic is only running around 25% utilization. (and snort’s using 7400 rules) *PLEASE NOTE EMAIL, ADDRESS THERE ARE MULTIPLE MIKE MILLERS AT IHS!* [image: ihs.com] <http://www.ihs.com/> [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif] [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif] [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif] *Mike J. Miller* Principal Engineer Computer Security Incident Response Team 15 Inverness Way East | Englewood, Co 80112 Phone: 303-858-6927 | Mobile: 720-326-1542 mike.j.miller () ihs com ------------------------------ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you. þ Please consider the environment before printing this e-mail. ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PF_Ring and ntop Miller, Mike (Jun 19)
- Re: PF_Ring and ntop Y M (Jun 20)
- Re: PF_Ring and ntop Mike Miller (Jun 20)
- <Possible follow-ups>
- Re: PF_Ring and ntop Y M (Jun 20)
- Re: PF_Ring and ntop Y M (Jun 20)