Hi Alfredo
I did not write custom code using nbpf_parse and nbpf_match, I test
nbpf using bro ids with libpcap from PF_RING,
I thin pcap_compile and pcap_setfilter in libpcap from PF_RING uses nbpf by
default, and I find that bpf operation
in libpfring also uses functions in libpcap, am I correct?
Just now I rerun my test under 10Gbit environment, it seems that the
number of host item in bpf string still has no
effect on the processing speed of PF_RING.
What is the main influential factor about the maximum num of host which
could be supported by nbpf in bpf string?
Alfredo Cardigliano <[email protected]> 于2018年6月28日周四 下午3:34写道:
> Hi Bowen
> said that I am still missing something in your implementation (did you
> write
> custom code using nbpf_parse and nbpf_match ?), your test results could
> be reliable if you are checking the processing speed at 1Gbit.
>
> Alfredo
>
> On 28 Jun 2018, at 09:23, Bowen Li <[email protected]> wrote:
>
> Hi Alfredo
> Thanks for replying.
> My test environment:
> CentOS Linux release 7.2.1511 (Core) 3.10.0-327.13.1.el7.x86_64
> Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz
> Memory: 128G
>
> PF_RING Version : 7.2.0
> (7.2.0-stable:745f567720be0f28385ce923ba9f4957d6fe35cf)
> Total rings : 21
> Standard (non ZC) Options
> Ring slots : 4096
> Slot version : 17
> Capture TX : Yes [RX+TX]
> IP Defragment : No
> Socket Mode : Standard
> Cluster Fragment Queue : 0
> Cluster Fragment Discard : 0
>
> Ethernet controller: Intel Corporation 82574L Gigabit Network
> Connection
> Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+
> Network Connection (rev 01)
>
> bro ids version 2.5.2
>
> My goal is to use nbpf to shunt traffic from some hosts instead of
> catching traffic from specific hosts, so I did the test.
> I use two 10G interface on same nic to send traffic from one to
> another one(I also do this on 1G nic) using pfsend, bro ids listen the
> receiving interface with bpf filter, I use
> "cmd_line_bpf_filter" param in bro to pass filter to PF_RING, my test
> result is: with format "not host A and not host B and ...", the maximum num
> of host
> is 466 and it seems that the number of host item has no effect on the
> processing speed of PF_RING. Are my test result reliable?
>
> Alfredo Cardigliano <[email protected]> 于2018年6月27日周三 下午4:05写道:
>
>> Hi Bowen
>> the nbpf syntax actually supports the not operator, however it depends
>> on the actual backend (we probably need to extend the guide commenting
>> more about this). For instance translating the filter into hw rules for
>> offloading
>> it to the adapter, in most cases it is not possible to use the not
>> operator.
>> What is your use case/application/card where you are using nbpf?
>>
>> Regards
>> Alfredo
>>
>> On 27 Jun 2018, at 04:48, Bowen Li <[email protected]> wrote:
>>
>> Hi all,
>> The README of ndpf section in github notes that “NOT” cannot be used
>> as keyword in filter, however, I used “NOT” and the filter is effective in
>> my test process. I want to know if there is something wrong in the official
>> documents or I omitted anything in my code.
>> If the used format of filter is “not host A and not host B and...”,
>> how many hosts that ndpf could support to filter in maximum? Besides, could
>> you please tell me if pcap processing speed of PF_RING will be influenced
>> with the increase of filter length?
>> Any insight would be helpful.
>> _______________________________________________
>> Ntop-misc mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
