HI Bowen libpcap-over-pfring actually uses standard BPF, unless you are 1. capturing from an adapter supporting hw filters (in that case pf_ring translates bpf to hw rules using nbpf, and it uses standard bpf in userspace as fallback), or 2. extracting traffic from a n2disk dumpset with the timeline enabled.
Alfredo > On 29 Jun 2018, at 04:39, Bowen Li <[email protected]> wrote: > > Hi Alfredo > I did not write custom code using nbpf_parse and nbpf_match, I test nbpf > using bro ids with libpcap from PF_RING, > I thin pcap_compile and pcap_setfilter in libpcap from PF_RING uses nbpf by > default, and I find that bpf operation > in libpfring also uses functions in libpcap, am I correct? > Just now I rerun my test under 10Gbit environment, it seems that the > number of host item in bpf string still has no > effect on the processing speed of PF_RING. > What is the main influential factor about the maximum num of host which > could be supported by nbpf in bpf string? > > Alfredo Cardigliano <[email protected] <mailto:[email protected]>> > 于2018年6月28日周四 下午3:34写道: > Hi Bowen > said that I am still missing something in your implementation (did you write > custom code using nbpf_parse and nbpf_match ?), your test results could > be reliable if you are checking the processing speed at 1Gbit. > > Alfredo > >> On 28 Jun 2018, at 09:23, Bowen Li <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Alfredo >> Thanks for replying. >> My test environment: >> CentOS Linux release 7.2.1511 (Core) 3.10.0-327.13.1.el7.x86_64 >> Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz >> Memory: 128G >> >> PF_RING Version : 7.2.0 >> (7.2.0-stable:745f567720be0f28385ce923ba9f4957d6fe35cf) >> Total rings : 21 >> Standard (non ZC) Options >> Ring slots : 4096 >> Slot version : 17 >> Capture TX : Yes [RX+TX] >> IP Defragment : No >> Socket Mode : Standard >> Cluster Fragment Queue : 0 >> Cluster Fragment Discard : 0 >> >> Ethernet controller: Intel Corporation 82574L Gigabit Network >> Connection >> Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ >> Network Connection (rev 01) >> >> bro ids version 2.5.2 >> >> My goal is to use nbpf to shunt traffic from some hosts instead of >> catching traffic from specific hosts, so I did the test. >> I use two 10G interface on same nic to send traffic from one to another >> one(I also do this on 1G nic) using pfsend, bro ids listen the receiving >> interface with bpf filter, I use >> "cmd_line_bpf_filter" param in bro to pass filter to PF_RING, my test result >> is: with format "not host A and not host B and ...", the maximum num of host >> is 466 and it seems that the number of host item has no effect on the >> processing speed of PF_RING. Are my test result reliable? >> >> Alfredo Cardigliano <[email protected] <mailto:[email protected]>> >> 于2018年6月27日周三 下午4:05写道: >> Hi Bowen >> the nbpf syntax actually supports the not operator, however it depends >> on the actual backend (we probably need to extend the guide commenting >> more about this). For instance translating the filter into hw rules for >> offloading >> it to the adapter, in most cases it is not possible to use the not operator. >> What is your use case/application/card where you are using nbpf? >> >> Regards >> Alfredo >> >>> On 27 Jun 2018, at 04:48, Bowen Li <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi all, >>> The README of ndpf section in github notes that “NOT” cannot be used as >>> keyword in filter, however, I used “NOT” and the filter is effective in my >>> test process. I want to know if there is something wrong in the official >>> documents or I omitted anything in my code. >>> If the used format of filter is “not host A and not host B and...”, how >>> many hosts that ndpf could support to filter in maximum? Besides, could you >>> please tell me if pcap processing speed of PF_RING will be influenced with >>> the increase of filter length? >>> Any insight would be helpful. >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>_______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>_______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
