Luca, in regards to this, I found your paper from 2010 :
http://luca.ntop.org/nema2010.pdf
According to that, we can shove in rules directly with an echo:
"+(1,-1,tcp,
192.168.0.10,25,0.0.0.0,0)" > /proc/net/pf_ring/eth3/rules''
Based on that, if I want to dump the traffic across the board, couldn't I do
+(${ruleid),-1,0.0.0.0,443,0.0.0.0,0"
And dump that to my interfaces? From what I read, it supports ip/netmask
options as well, based on
(from paper)
FD filters are expressed as <slot id,
VLAN, protocol, ip netmask/port src, ip netmask/port
dst, target RX queue id>. Currently all configured filters must have
the same mask defined in 82599.
---
Thanks! I had not seen your paper until this morning when I was googling some
more on this topic.
-----Original Message-----
From: Clark, Erik J
Sent: Thursday, March 31, 2016 9:06 AM
To: '[email protected]'
Subject: RE: Ntop-misc Digest, Vol 141, Issue 15
Message: 2
Date: Wed, 30 Mar 2016 23:23:15 +0200
From: Luca Deri <[email protected]>
To: [email protected]
Subject: Re: [Ntop-misc] pf_ring hardware filter question
Message-ID: <[email protected]>
Content-Type: text/plain; charset="us-ascii"
Chris
you can set rules via the PF_RING API: did you see
http://redirect.state.sbu/?url=https://github.com/ntop/PF_RING/blob/dev/userland/examples/pffilter_test.c
?
Regards Luca
> On 30 Mar 2016, at 21:12, Clark, Erik J <[email protected]> wrote:
>
> All;
> I am trying to filter out tcp and udp traffic at the kernel level
> via pf_ring, but can not find any documentation as to how to actually
> craft a rule, or how you would make one persist. The only reference I
> can find is to
>
> /proc/net/pf_ring/dev/${interface}/rules
>
> Which would not be persistent. If I wanted to filter out all tcp 443 traffic
> before handing it off to the application layer, say for Snort or Bro, how do
> I do that at the pf_ring level persistently? Thanks much!
>
> Erik
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
Unfortunately, I haven't written any C in about 18 years. Even then, I was
never very good at it. On top of that, I can't even seem to understand what is
going on in the file. There is a section where it says it is dropping
everything but icmp, but there is nothing saying that outright, except a
reference to rule.rule_id =5, which is as clear as mud.
So, is the short answer there is no way to use something like ethtool to set
pf_ring filters? From:
http://ossectools.blogspot.com/2012/10/multi-node-bro-cluster-setup-howto.html
I can see that bpf filters can be associated with the devices some how
(specifically (ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0)
I can not find any documentation on how to set bpf filters, or pf_ring
parameters with something like a shell script or a tool like ethtool. Is this
just not possible?
Erik
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
