void reader_pfring_init(char *UNUSED(name))
{
int flags = PF_RING_PROMISC | PF_RING_TIMESTAMP;
int clusterId = moloch_config_int(NULL, "pfringClusterId", 0, 0, 255);
int i;
for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) {
rings[i] = pfring_open(config.interface[i], MOLOCH_SNAPLEN, flags);
if (config.bpf) {
int err = pfring_set_bpf_filter(rings[i], config.bpf);
if (err < 0) {
LOG("pfring set filter error %d for %s", err, config.bpf);
exit (1);
}
}
if (!rings[i]) {
LOG("pfring open failed! - %s", config.interface[i]);
exit(1);
}
pfring_set_cluster(rings[i], clusterId, cluster_per_flow_5_tuple);
pfring_set_application_name(rings[i], "moloch-capture");
pfring_set_poll_watermark(rings[i], 64);
pfring_enable_rss_rehash(rings[i]);
}
moloch_reader_start = reader_pfring_start;
moloch_reader_stop = reader_pfring_stop;
moloch_reader_stats = reader_pfring_stats;
}
NetworkHandler::NetworkHandler(std::string deviceName) {
deviceName_ = deviceName;
myMac_ = EthernetUtils::GetMacOfInterface(deviceName);
myIP_ = EthernetUtils::GetIPOfInterface(GetDeviceName());
u_int32_t flags = 0;
flags |= PF_RING_LONG_HEADER;
flags |= PF_RING_PROMISC;
flags |= PF_RING_DNA_SYMMETRIC_RSS; /* Note that symmetric RSS is ignored by non-DNA drivers */
const int snaplen = 128;
pfring** rings = new pfring*[MAX_NUM_RX_CHANNELS];
numberOfQueues_ = pfring_open_multichannel((char*) deviceName.data(),
snaplen, flags, rings);
queueRings_ = new ntop::PFring *[numberOfQueues_];
for (uint_fast8_t i = 0; i < numberOfQueues_; i++) {
std::string queDeviceName = deviceName;
queDeviceName = deviceName + "@" + std::to_string((int) i);
/*
* http://www.ntop.org/pfring_api/pfring_8h.html#a397061c37a91876b6b68584e2cb99da5
*/
pfring_set_poll_watermark(rings[i], 128);
queueRings_[i] = new ntop::PFring(rings[i],
(char*) queDeviceName.data(), snaplen, flags);
if (queueRings_[i]->enable_ring() >= 0) {
LOG_INFO<< "Successfully opened device "
<< queueRings_[i]->get_device_name();
} else {
LOG_ERROR << "Unable to open device " << queDeviceName
<< "! Is pf_ring not loaded or do you use quick mode and have already a socket bound to this device?!";
exit(1);
}
}
asyncSendData_.set_capacity(1000);
}
static int pfring_daq_open(Pfring_Context_t *context, int id) {
uint32_t default_net = 0xFFFFFF00;
char *device = context->devices[id];
int pfring_rc;
pfring *ring_handle;
char buf[32];
if(!device) {
DPE(context->errbuf, "%s", "PF_RING a device must be specified");
return -1;
}
if(device) {
if(strncmp(device, "dna", 3) == 0) {
DPE(context->errbuf, "DNA is not supported by daq_pfring. Please get daq_pfring_dna from http://shop.ntop.org");
return(-1);
}
context->pkt_buffer = NULL;
ring_handle = pfring_open(device, context->snaplen,
PF_RING_LONG_HEADER
| (context->promisc_flag ? PF_RING_PROMISC : 0));
if(!ring_handle) {
DPE(context->errbuf, "pfring_open(): unable to open device '%s'. Please use -i <device>", device);
return -1;
}
}
pfring_get_bound_device_ifindex(ring_handle, &context->ifindexes[id]);
/* TODO this is because rules purging is not yet available with hw rules */
pfring_set_filtering_mode(ring_handle, software_only);
if (context->mode == DAQ_MODE_INLINE) {
/* Default mode: recv_and_send_mode */
pfring_set_direction(ring_handle, rx_only_direction);
} else if (context->mode == DAQ_MODE_PASSIVE) {
/* Default direction: rx_and_tx_direction */
if(context->num_reflector_devices > id) { /* lowlevelbridge ON */
filtering_rule rule;
memset(&rule, 0, sizeof(rule));
rule.rule_id = 1;
rule.rule_action = reflect_packet_and_continue_rule_evaluation;
snprintf(rule.reflector_device_name, REFLECTOR_NAME_LEN, "%s", context->reflector_devices[id]);
if(pfring_add_filtering_rule(ring_handle, &rule) < 0) {
DPE(context->errbuf, "unable to set the low level packet reflector %s -> %s", device, rule.reflector_device_name);
pfring_close(ring_handle);
return -1;
} else
printf("%s -> %s\n", context->devices[id], context->reflector_devices[id]);
pfring_set_direction(ring_handle, rx_only_direction);
}
pfring_set_socket_mode(ring_handle, recv_only_mode);
}
if(context->clusterids[id] > 0) {
pfring_rc = pfring_set_cluster(ring_handle, context->clusterids[id], context->cluster_mode);
if(pfring_rc != 0) {
DPE(context->errbuf, "pfring_set_cluster returned %d", pfring_rc);
pfring_close(ring_handle);
return -1;
}
snprintf(buf, sizeof(buf), "snort-cluster-%d-socket-%d", context->clusterids[id], id);
pfring_set_application_name(ring_handle, buf);
} else {
snprintf(buf, sizeof(buf), "snort-socket-%d", id);
pfring_set_application_name(ring_handle, buf);
}
pfring_set_poll_watermark(ring_handle, context->watermark);
context->netmask = htonl(default_net);
context->ring_handles[id] = ring_handle;
return(0);
}
int main(int argc, char* argv[]) {
pfring *a_ring, *b_ring;
char *a_dev = NULL, *b_dev = NULL, c;
u_int8_t verbose = 0, use_pfring_send = 0;
int a_ifindex, b_ifindex;
int bind_core = -1;
u_int16_t watermark = 1;
while((c = getopt(argc,argv, "ha:b:c:fvpg:w:")) != -1) {
switch(c) {
case 'h':
printHelp();
return 0;
break;
case 'a':
a_dev = strdup(optarg);
break;
case 'b':
b_dev = strdup(optarg);
break;
case 'p':
use_pfring_send = 1;
break;
case 'v':
verbose = 1;
break;
case 'g':
bind_core = atoi(optarg);
break;
case 'w':
watermark = atoi(optarg);
break;
}
}
if ((!a_dev) || (!b_dev)) {
printf("You must specify two devices!\n");
return -1;
}
if(strcmp(a_dev, b_dev) == 0) {
printf("Bridge devices must be different!\n");
return -1;
}
/* Device A */
if((a_ring = pfring_open(a_dev, MAX_PKT_LEN, PF_RING_PROMISC | PF_RING_LONG_HEADER |
(use_pfring_send ? 0 : PF_RING_RX_PACKET_BOUNCE))
) == NULL) {
printf("pfring_open error for %s [%s]\n", a_dev, strerror(errno));
return(-1);
}
pfring_set_application_name(a_ring, "pfbridge-a");
pfring_set_direction(a_ring, rx_only_direction);
pfring_set_socket_mode(a_ring, recv_only_mode);
pfring_set_poll_watermark(a_ring, watermark);
pfring_get_bound_device_ifindex(a_ring, &a_ifindex);
/* Device B */
if((b_ring = pfring_open(b_dev, MAX_PKT_LEN, PF_RING_PROMISC|PF_RING_LONG_HEADER)) == NULL) {
printf("pfring_open error for %s [%s]\n", b_dev, strerror(errno));
pfring_close(a_ring);
return(-1);
}
pfring_set_application_name(b_ring, "pfbridge-b");
pfring_set_socket_mode(b_ring, send_only_mode);
pfring_get_bound_device_ifindex(b_ring, &b_ifindex);
/* Enable Sockets */
if (pfring_enable_ring(a_ring) != 0) {
printf("Unable enabling ring 'a' :-(\n");
pfring_close(a_ring);
pfring_close(b_ring);
return(-1);
}
if(use_pfring_send) {
if (pfring_enable_ring(b_ring)) {
printf("Unable enabling ring 'b' :-(\n");
pfring_close(a_ring);
pfring_close(b_ring);
return(-1);
}
} else {
pfring_close(b_ring);
}
signal(SIGALRM, my_sigalarm);
alarm(1);
if(bind_core >= 0)
bind2core(bind_core);
while(1) {
u_char *buffer;
struct pfring_pkthdr hdr;
if(pfring_recv(a_ring, &buffer, 0, &hdr, 1) > 0) {
int rc;
if(use_pfring_send) {
rc = pfring_send(b_ring, (char *) buffer, hdr.caplen, 1);
if(rc < 0)
printf("pfring_send(caplen=%u <= mtu=%u?) error %d\n", hdr.caplen, b_ring->mtu_len, rc);
else if(verbose)
printf("Forwarded %d bytes packet\n", hdr.len);
} else {
rc = pfring_send_last_rx_packet(a_ring, b_ifindex);
if(rc < 0)
printf("pfring_send_last_rx_packet() error %d\n", rc);
else if(verbose)
printf("Forwarded %d bytes packet\n", hdr.len);
}
if(rc >= 0) num_sent++;
}
}
pfring_close(a_ring);
if(use_pfring_send) pfring_close(b_ring);
return(0);
}
int main(int argc, char* argv[]) {
char *device = NULL, c, *bind_mask = NULL;
int snaplen = DEFAULT_SNAPLEN, rc, watermark = 0, rehash_rss = 0;
packet_direction direction = rx_only_direction;
long i;
u_int16_t cpu_percentage = 0, poll_duration = 0;
u_int32_t version;
u_int32_t flags = 0;
startTime.tv_sec = 0;
thiszone = gmt2local(0);
numCPU = sysconf( _SC_NPROCESSORS_ONLN );
memset(thread_core_affinity, -1, sizeof(thread_core_affinity));
while((c = getopt(argc,argv,"hi:l:mvae:w:b:rp:g:")) != -1) {
switch(c) {
case 'h':
printHelp();
return(0);
break;
case 'a':
wait_for_packet = 0;
break;
case 'e':
switch(atoi(optarg)) {
case rx_and_tx_direction:
case rx_only_direction:
case tx_only_direction:
direction = atoi(optarg);
break;
}
break;
case 'l':
snaplen = atoi(optarg);
break;
case 'i':
device = strdup(optarg);
break;
case 'm':
use_extended_pkt_header = 1;
break;
case 'v':
verbose = 1;
break;
case 'w':
watermark = atoi(optarg);
break;
case 'b':
cpu_percentage = atoi(optarg);
break;
case 'r':
rehash_rss = 1;
break;
case 'p':
poll_duration = atoi(optarg);
break;
case 'g':
bind_mask = strdup(optarg);
break;
}
}
if(verbose) watermark = 1;
if(device == NULL) device = DEFAULT_DEVICE;
printf("Capturing from %s\n", device);
flags |= PF_RING_PROMISC; /* hardcode: promisc=1 */
#if 0
flags |= PF_RING_DNA_FIXED_RSS_Q_0;
#else
flags |= PF_RING_DNA_SYMMETRIC_RSS; /* Note that symmetric RSS is ignored by non-DNA drivers */
#endif
if(use_extended_pkt_header) flags |= PF_RING_LONG_HEADER;
num_channels = pfring_open_multichannel(device, snaplen, flags, ring);
if(num_channels <= 0) {
fprintf(stderr, "pfring_open_multichannel() returned %d [%s]\n", num_channels, strerror(errno));
return(-1);
}
if (num_channels > MAX_NUM_THREADS)
{
printf("WARNING: Too many channels (%d), using %d channels\n", num_channels, MAX_NUM_THREADS);
num_channels = MAX_NUM_THREADS;
}
else if (num_channels > numCPU)
{
printf("WARNING: More channels (%d) than available cores (%d), using %d channels\n", num_channels, numCPU, numCPU);
num_channels = numCPU;
}
else
{
printf("Found %d channels\n", num_channels);
}
if(bind_mask != NULL)
{
char *id = strtok(bind_mask, ":");
int idx = 0;
while(id != NULL) {
thread_core_affinity[idx++] = atoi(id) % numCPU;
if(idx >= num_channels) break;
id = strtok(NULL, ":");
}
}
pfring_version(ring[0], &version);
printf("Using PF_RING v.%d.%d.%d\n",
(version & 0xFFFF0000) >> 16,
(version & 0x0000FF00) >> 8,
version & 0x000000FF);
for(i=0; i<num_channels; i++)
{
char buf[32];
snprintf(buf, sizeof(buf), "pfcount_multichannel-thread %ld", i);
pfring_set_application_name(ring[i], buf);
if((rc = pfring_set_direction(ring[i], direction)) != 0)
fprintf(stderr, "pfring_set_direction returned %d [direction=%d] (you can't capture TX with DNA)\n", rc, direction);
if((rc = pfring_set_socket_mode(ring[i], recv_only_mode)) != 0)
fprintf(stderr, "pfring_set_socket_mode returned [rc=%d]\n", rc);
if(watermark > 0) {
if((rc = pfring_set_poll_watermark(ring[i], watermark)) != 0)
fprintf(stderr, "pfring_set_poll_watermark returned [rc=%d][watermark=%d]\n", rc, watermark);
}
#if 0
setup_steering(ring[0], "192.168.30.207", -1);
/* UTDF */
setup_steering(ring[0], "224.0.1.92", 1);
setup_steering(ring[0], "224.0.1.94", 1);
setup_steering(ring[0], "224.0.1.96", 1);
/* BATS */
setup_steering(ring[0], "224.0.62.2", 2);
/* default: should go to channel 0 */
#endif
if(rehash_rss)
pfring_enable_rss_rehash(ring[i]);
if(poll_duration > 0)
pfring_set_poll_duration(ring[i], poll_duration);
pfring_enable_ring(ring[i]);
pthread_create(&pd_thread[i], NULL, packet_consumer_thread, (void*)i);
usleep(500);
}
if(cpu_percentage > 0) {
if(cpu_percentage > 99) cpu_percentage = 99;
pfring_config(cpu_percentage);
}
signal(SIGINT, sigproc);
signal(SIGTERM, sigproc);
signal(SIGINT, sigproc);
if(!verbose) {
signal(SIGALRM, my_sigalarm);
alarm(ALARM_SLEEP);
}
for(i=0; i<num_channels; i++) {
pthread_join(pd_thread[i], NULL);
pfring_close(ring[i]);
}
return(0);
}
