void reader_pfring_init(char *UNUSED(name)) { int flags = PF_RING_PROMISC | PF_RING_TIMESTAMP; int clusterId = moloch_config_int(NULL, "pfringClusterId", 0, 0, 255); int i; for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) { rings[i] = pfring_open(config.interface[i], MOLOCH_SNAPLEN, flags); if (config.bpf) { int err = pfring_set_bpf_filter(rings[i], config.bpf); if (err < 0) { LOG("pfring set filter error %d for %s", err, config.bpf); exit (1); } } if (!rings[i]) { LOG("pfring open failed! - %s", config.interface[i]); exit(1); } pfring_set_cluster(rings[i], clusterId, cluster_per_flow_5_tuple); pfring_set_application_name(rings[i], "moloch-capture"); pfring_set_poll_watermark(rings[i], 64); pfring_enable_rss_rehash(rings[i]); } moloch_reader_start = reader_pfring_start; moloch_reader_stop = reader_pfring_stop; moloch_reader_stats = reader_pfring_stats; }
NetworkHandler::NetworkHandler(std::string deviceName) { deviceName_ = deviceName; myMac_ = EthernetUtils::GetMacOfInterface(deviceName); myIP_ = EthernetUtils::GetIPOfInterface(GetDeviceName()); u_int32_t flags = 0; flags |= PF_RING_LONG_HEADER; flags |= PF_RING_PROMISC; flags |= PF_RING_DNA_SYMMETRIC_RSS; /* Note that symmetric RSS is ignored by non-DNA drivers */ const int snaplen = 128; pfring** rings = new pfring*[MAX_NUM_RX_CHANNELS]; numberOfQueues_ = pfring_open_multichannel((char*) deviceName.data(), snaplen, flags, rings); queueRings_ = new ntop::PFring *[numberOfQueues_]; for (uint_fast8_t i = 0; i < numberOfQueues_; i++) { std::string queDeviceName = deviceName; queDeviceName = deviceName + "@" + std::to_string((int) i); /* * http://www.ntop.org/pfring_api/pfring_8h.html#a397061c37a91876b6b68584e2cb99da5 */ pfring_set_poll_watermark(rings[i], 128); queueRings_[i] = new ntop::PFring(rings[i], (char*) queDeviceName.data(), snaplen, flags); if (queueRings_[i]->enable_ring() >= 0) { LOG_INFO<< "Successfully opened device " << queueRings_[i]->get_device_name(); } else { LOG_ERROR << "Unable to open device " << queDeviceName << "! Is pf_ring not loaded or do you use quick mode and have already a socket bound to this device?!"; exit(1); } } asyncSendData_.set_capacity(1000); }
static int pfring_daq_open(Pfring_Context_t *context, int id) { uint32_t default_net = 0xFFFFFF00; char *device = context->devices[id]; int pfring_rc; pfring *ring_handle; char buf[32]; if(!device) { DPE(context->errbuf, "%s", "PF_RING a device must be specified"); return -1; } if(device) { if(strncmp(device, "dna", 3) == 0) { DPE(context->errbuf, "DNA is not supported by daq_pfring. Please get daq_pfring_dna from http://shop.ntop.org"); return(-1); } context->pkt_buffer = NULL; ring_handle = pfring_open(device, context->snaplen, PF_RING_LONG_HEADER | (context->promisc_flag ? PF_RING_PROMISC : 0)); if(!ring_handle) { DPE(context->errbuf, "pfring_open(): unable to open device '%s'. Please use -i <device>", device); return -1; } } pfring_get_bound_device_ifindex(ring_handle, &context->ifindexes[id]); /* TODO this is because rules purging is not yet available with hw rules */ pfring_set_filtering_mode(ring_handle, software_only); if (context->mode == DAQ_MODE_INLINE) { /* Default mode: recv_and_send_mode */ pfring_set_direction(ring_handle, rx_only_direction); } else if (context->mode == DAQ_MODE_PASSIVE) { /* Default direction: rx_and_tx_direction */ if(context->num_reflector_devices > id) { /* lowlevelbridge ON */ filtering_rule rule; memset(&rule, 0, sizeof(rule)); rule.rule_id = 1; rule.rule_action = reflect_packet_and_continue_rule_evaluation; snprintf(rule.reflector_device_name, REFLECTOR_NAME_LEN, "%s", context->reflector_devices[id]); if(pfring_add_filtering_rule(ring_handle, &rule) < 0) { DPE(context->errbuf, "unable to set the low level packet reflector %s -> %s", device, rule.reflector_device_name); pfring_close(ring_handle); return -1; } else printf("%s -> %s\n", context->devices[id], context->reflector_devices[id]); pfring_set_direction(ring_handle, rx_only_direction); } pfring_set_socket_mode(ring_handle, recv_only_mode); } if(context->clusterids[id] > 0) { pfring_rc = pfring_set_cluster(ring_handle, context->clusterids[id], context->cluster_mode); if(pfring_rc != 0) { DPE(context->errbuf, "pfring_set_cluster returned %d", pfring_rc); pfring_close(ring_handle); return -1; } snprintf(buf, sizeof(buf), "snort-cluster-%d-socket-%d", context->clusterids[id], id); pfring_set_application_name(ring_handle, buf); } else { snprintf(buf, sizeof(buf), "snort-socket-%d", id); pfring_set_application_name(ring_handle, buf); } pfring_set_poll_watermark(ring_handle, context->watermark); context->netmask = htonl(default_net); context->ring_handles[id] = ring_handle; return(0); }
int main(int argc, char* argv[]) { pfring *a_ring, *b_ring; char *a_dev = NULL, *b_dev = NULL, c; u_int8_t verbose = 0, use_pfring_send = 0; int a_ifindex, b_ifindex; int bind_core = -1; u_int16_t watermark = 1; while((c = getopt(argc,argv, "ha:b:c:fvpg:w:")) != -1) { switch(c) { case 'h': printHelp(); return 0; break; case 'a': a_dev = strdup(optarg); break; case 'b': b_dev = strdup(optarg); break; case 'p': use_pfring_send = 1; break; case 'v': verbose = 1; break; case 'g': bind_core = atoi(optarg); break; case 'w': watermark = atoi(optarg); break; } } if ((!a_dev) || (!b_dev)) { printf("You must specify two devices!\n"); return -1; } if(strcmp(a_dev, b_dev) == 0) { printf("Bridge devices must be different!\n"); return -1; } /* Device A */ if((a_ring = pfring_open(a_dev, MAX_PKT_LEN, PF_RING_PROMISC | PF_RING_LONG_HEADER | (use_pfring_send ? 0 : PF_RING_RX_PACKET_BOUNCE)) ) == NULL) { printf("pfring_open error for %s [%s]\n", a_dev, strerror(errno)); return(-1); } pfring_set_application_name(a_ring, "pfbridge-a"); pfring_set_direction(a_ring, rx_only_direction); pfring_set_socket_mode(a_ring, recv_only_mode); pfring_set_poll_watermark(a_ring, watermark); pfring_get_bound_device_ifindex(a_ring, &a_ifindex); /* Device B */ if((b_ring = pfring_open(b_dev, MAX_PKT_LEN, PF_RING_PROMISC|PF_RING_LONG_HEADER)) == NULL) { printf("pfring_open error for %s [%s]\n", b_dev, strerror(errno)); pfring_close(a_ring); return(-1); } pfring_set_application_name(b_ring, "pfbridge-b"); pfring_set_socket_mode(b_ring, send_only_mode); pfring_get_bound_device_ifindex(b_ring, &b_ifindex); /* Enable Sockets */ if (pfring_enable_ring(a_ring) != 0) { printf("Unable enabling ring 'a' :-(\n"); pfring_close(a_ring); pfring_close(b_ring); return(-1); } if(use_pfring_send) { if (pfring_enable_ring(b_ring)) { printf("Unable enabling ring 'b' :-(\n"); pfring_close(a_ring); pfring_close(b_ring); return(-1); } } else { pfring_close(b_ring); } signal(SIGALRM, my_sigalarm); alarm(1); if(bind_core >= 0) bind2core(bind_core); while(1) { u_char *buffer; struct pfring_pkthdr hdr; if(pfring_recv(a_ring, &buffer, 0, &hdr, 1) > 0) { int rc; if(use_pfring_send) { rc = pfring_send(b_ring, (char *) buffer, hdr.caplen, 1); if(rc < 0) printf("pfring_send(caplen=%u <= mtu=%u?) error %d\n", hdr.caplen, b_ring->mtu_len, rc); else if(verbose) printf("Forwarded %d bytes packet\n", hdr.len); } else { rc = pfring_send_last_rx_packet(a_ring, b_ifindex); if(rc < 0) printf("pfring_send_last_rx_packet() error %d\n", rc); else if(verbose) printf("Forwarded %d bytes packet\n", hdr.len); } if(rc >= 0) num_sent++; } } pfring_close(a_ring); if(use_pfring_send) pfring_close(b_ring); return(0); }
int main(int argc, char* argv[]) { char *device = NULL, c, *bind_mask = NULL; int snaplen = DEFAULT_SNAPLEN, rc, watermark = 0, rehash_rss = 0; packet_direction direction = rx_only_direction; long i; u_int16_t cpu_percentage = 0, poll_duration = 0; u_int32_t version; u_int32_t flags = 0; startTime.tv_sec = 0; thiszone = gmt2local(0); numCPU = sysconf( _SC_NPROCESSORS_ONLN ); memset(thread_core_affinity, -1, sizeof(thread_core_affinity)); while((c = getopt(argc,argv,"hi:l:mvae:w:b:rp:g:")) != -1) { switch(c) { case 'h': printHelp(); return(0); break; case 'a': wait_for_packet = 0; break; case 'e': switch(atoi(optarg)) { case rx_and_tx_direction: case rx_only_direction: case tx_only_direction: direction = atoi(optarg); break; } break; case 'l': snaplen = atoi(optarg); break; case 'i': device = strdup(optarg); break; case 'm': use_extended_pkt_header = 1; break; case 'v': verbose = 1; break; case 'w': watermark = atoi(optarg); break; case 'b': cpu_percentage = atoi(optarg); break; case 'r': rehash_rss = 1; break; case 'p': poll_duration = atoi(optarg); break; case 'g': bind_mask = strdup(optarg); break; } } if(verbose) watermark = 1; if(device == NULL) device = DEFAULT_DEVICE; printf("Capturing from %s\n", device); flags |= PF_RING_PROMISC; /* hardcode: promisc=1 */ #if 0 flags |= PF_RING_DNA_FIXED_RSS_Q_0; #else flags |= PF_RING_DNA_SYMMETRIC_RSS; /* Note that symmetric RSS is ignored by non-DNA drivers */ #endif if(use_extended_pkt_header) flags |= PF_RING_LONG_HEADER; num_channels = pfring_open_multichannel(device, snaplen, flags, ring); if(num_channels <= 0) { fprintf(stderr, "pfring_open_multichannel() returned %d [%s]\n", num_channels, strerror(errno)); return(-1); } if (num_channels > MAX_NUM_THREADS) { printf("WARNING: Too many channels (%d), using %d channels\n", num_channels, MAX_NUM_THREADS); num_channels = MAX_NUM_THREADS; } else if (num_channels > numCPU) { printf("WARNING: More channels (%d) than available cores (%d), using %d channels\n", num_channels, numCPU, numCPU); num_channels = numCPU; } else { printf("Found %d channels\n", num_channels); } if(bind_mask != NULL) { char *id = strtok(bind_mask, ":"); int idx = 0; while(id != NULL) { thread_core_affinity[idx++] = atoi(id) % numCPU; if(idx >= num_channels) break; id = strtok(NULL, ":"); } } pfring_version(ring[0], &version); printf("Using PF_RING v.%d.%d.%d\n", (version & 0xFFFF0000) >> 16, (version & 0x0000FF00) >> 8, version & 0x000000FF); for(i=0; i<num_channels; i++) { char buf[32]; snprintf(buf, sizeof(buf), "pfcount_multichannel-thread %ld", i); pfring_set_application_name(ring[i], buf); if((rc = pfring_set_direction(ring[i], direction)) != 0) fprintf(stderr, "pfring_set_direction returned %d [direction=%d] (you can't capture TX with DNA)\n", rc, direction); if((rc = pfring_set_socket_mode(ring[i], recv_only_mode)) != 0) fprintf(stderr, "pfring_set_socket_mode returned [rc=%d]\n", rc); if(watermark > 0) { if((rc = pfring_set_poll_watermark(ring[i], watermark)) != 0) fprintf(stderr, "pfring_set_poll_watermark returned [rc=%d][watermark=%d]\n", rc, watermark); } #if 0 setup_steering(ring[0], "192.168.30.207", -1); /* UTDF */ setup_steering(ring[0], "224.0.1.92", 1); setup_steering(ring[0], "224.0.1.94", 1); setup_steering(ring[0], "224.0.1.96", 1); /* BATS */ setup_steering(ring[0], "224.0.62.2", 2); /* default: should go to channel 0 */ #endif if(rehash_rss) pfring_enable_rss_rehash(ring[i]); if(poll_duration > 0) pfring_set_poll_duration(ring[i], poll_duration); pfring_enable_ring(ring[i]); pthread_create(&pd_thread[i], NULL, packet_consumer_thread, (void*)i); usleep(500); } if(cpu_percentage > 0) { if(cpu_percentage > 99) cpu_percentage = 99; pfring_config(cpu_percentage); } signal(SIGINT, sigproc); signal(SIGTERM, sigproc); signal(SIGINT, sigproc); if(!verbose) { signal(SIGALRM, my_sigalarm); alarm(ALARM_SLEEP); } for(i=0; i<num_channels; i++) { pthread_join(pd_thread[i], NULL); pfring_close(ring[i]); } return(0); }