Discussion:
af_packet vs pfring
Russell Fulton
2013-07-28 00:15:46 UTC
Permalink
Hi

The next decision I need to make is whether to use pf_ring or af_packet. From what I can garner with google if you are just running suri on the sensor af_packet is flavour of the month. However I have found references that suggest that if one wants to run other packages like argus and bro along side then pf_ring is preferred.

Can anyone point me to a document that spells out the pros and cons of the two?

Thanks, Russell
_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
Cooper F. Nelson
2013-07-28 00:23:05 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AF_PACKET + mmap mode is pretty much the same thing as pf_ring.

I thought pf_ring was proprietary or licensed in some way, but I may be
wrong about that.

In my setup, it appears AF_PACKET mode will truncate packets unless all
offloading features of the NIC are disabled.

See this blog post for more details: >
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html

I use AF_PACKET for suricata and libpcap for everything else on the same
box, no problems yet.

- -Coop
Post by Russell Fulton
Hi
The next decision I need to make is whether to use pf_ring or
af_packet. From what I can garner with google if you are just
running suri on the sensor af_packet is flavour of the month.
However I have found references that suggest that if one wants to run
other packages like argus and bro along side then pf_ring is
preferred.
Can anyone point me to a document that spells out the pros and cons of the two?
Thanks, Russell _______________________________________________
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson-XkckGZ689+***@public.gmane.org x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR9GRpAAoJEKIFRYQsa8FW+vwH/jSSzj6APni/t23QfBJ8whWc
jq/TzeJTYevuWeBIDtFf90qCvCWL0xkTB4UjnGMLejKjb2/SZJNU9yc8o3+IM7CA
MpQ8/rHKHUFjY18KQ3hlrcrM6dLhIVLNGiikBa7JDq35uG5VADqdVC36ptEUun/W
mRkBXpP+cd76KDEDzvV+VP7VS74rlISIB0v+yD8/qyJaAHHJrRg89g0TGhSHZ12H
cHbEvtA9bT10SZ5yTWCyi5PTum/FZm14pKK98/FVXq7ZJg5TkRATSYY/oTUTjjnW
x3/4+ABlPq6JIiPL0W7c5u2LZ5nb/9LDEVE/0hShoN1u4alJEUJ5DKPtnwLhX+Q=
=4fOT
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
Chris Wakelin
2013-07-28 11:22:49 UTC
Permalink
Post by Cooper F. Nelson
AF_PACKET + mmap mode is pretty much the same thing as pf_ring.
More or less true for the "vanilla" PF_RING
Post by Cooper F. Nelson
I thought pf_ring was proprietary or licensed in some way, but I may be
wrong about that.
"vanilla" PF_RING is open-source. There are proprietary extensions to it
- "DNA" drivers and "libzero for DNA" that are sold for a small amount.
However, universities can probably have them for free if they ask nicely
(as we did :-) )

DNA makes packet capture faster but only one application can access the
packets. DNA + libzero enables multiple applications to see the packets
in a "zero-copy" mode (for extra speed). See
http://www.ntop.org/products/pf_ring/dna/ and
http://www.ntop.org/products/pf_ring/libzero-for-dna/ for details.
Post by Cooper F. Nelson
In my setup, it appears AF_PACKET mode will truncate packets unless all
offloading features of the NIC are disabled.
Probably true of PF_RING too.
Post by Cooper F. Nelson
See this blog post for more details: >
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
I use AF_PACKET for suricata and libpcap for everything else on the same
box, no problems yet.
-Coop
We're using PF_RING + DNA + libzero and running Suricata + Bro + Argus.
I had a look at AF_PACKET a few months ago, but couldn't get it to work
without dropping packets. I also was under the impression it wouldn't
allow multiple applications to see the traffic, but from what Cooper
just said, it seems I was wrong!

Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin-***@public.gmane.org
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
Peter Bates
2013-07-29 08:18:29 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all
Post by Chris Wakelin
We're using PF_RING + DNA + libzero and running Suricata + Bro + Argus.
I had a look at AF_PACKET a few months ago, but couldn't get it to work
without dropping packets. I also was under the impression it wouldn't
allow multiple applications to see the traffic, but from what Cooper
just said, it seems I was wrong!
With new versions of Suricata popping up I'm contemplating revisiting
the software - last time I checked with AF_PACKET I saw packet loss
but testing Suricata with PF_RING last week I saw packet loss as well.

I'm using PF_RING to run multiple instances of Snort (and some other
applications) and it would be nice to unify everything together and make
the big switch.

What version of Suricata are people mostly running - 1.4.x production,
the version from Git, etc.?

- --
Peter Bates
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR9iVVAAoJELhVoVpEMS6R+f0H/0Nc0j94B3Md2ub7ghn06jSK
5QdQA4wdCpbzhQPsptML9tF5tFNEF9m05Y2XLygOsbneoOcKyezSIkHpRNxckL4N
nzBlo3ZFFoaRZr0Sb05zNaykoZypUjlkoav278vyOHWlupYmoT6Xrsz+tK53wpJT
CD7e2mZ6hS0cOdSUtXii9vCazDZciYM2g536PykG7CQ0MLh8V5EOOmNmCi7gOTXk
qCAO2mX82ytQP/xDxfn/wJ+CH8QQ+FYbNKRB+0javq+OqZ+KD4/btgHT0gKKfMpm
hK/RoSKzoHpUVc9M7jdzAL9/Pr0mHyoM9RRSPSKaJNOthTDQrnXxbHtzsULy0FQ=
=zcPy
-----END PGP SIGNATURE-----

_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
Peter Manev
2013-07-29 13:04:07 UTC
Permalink
Post by Cooper F. Nelson
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all
Post by Chris Wakelin
We're using PF_RING + DNA + libzero and running Suricata + Bro + Argus.
I had a look at AF_PACKET a few months ago, but couldn't get it to work
without dropping packets. I also was under the impression it wouldn't
allow multiple applications to see the traffic, but from what Cooper
just said, it seems I was wrong!
With new versions of Suricata popping up I'm contemplating revisiting
the software - last time I checked with AF_PACKET I saw packet loss
but testing Suricata with PF_RING last week I saw packet loss as well.
That is a loaded question. There are numerous dependencies - what type of traffic is predominant , what type of HW, how much traffic , how much HW resources are available , how many rules, which rule set (VRT/ET/ETPro) ....
Post by Cooper F. Nelson
I'm using PF_RING to run multiple instances of Snort (and some other
applications) and it would be nice to unify everything together and make
the big switch.
You should consolidate I agree.
Before that you should do some testing as to determine if afpacket or pfring works best for you / your HW.
Post by Cooper F. Nelson
What version of Suricata are people mostly running - 1.4.x production,
the version from Git, etc.?
- --
Peter Bates
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR9iVVAAoJELhVoVpEMS6R+f0H/0Nc0j94B3Md2ub7ghn06jSK
5QdQA4wdCpbzhQPsptML9tF5tFNEF9m05Y2XLygOsbneoOcKyezSIkHpRNxckL4N
nzBlo3ZFFoaRZr0Sb05zNaykoZypUjlkoav278vyOHWlupYmoT6Xrsz+tK53wpJT
CD7e2mZ6hS0cOdSUtXii9vCazDZciYM2g536PykG7CQ0MLh8V5EOOmNmCi7gOTXk
qCAO2mX82ytQP/xDxfn/wJ+CH8QQ+FYbNKRB+0javq+OqZ+KD4/btgHT0gKKfMpm
hK/RoSKzoHpUVc9M7jdzAL9/Pr0mHyoM9RRSPSKaJNOthTDQrnXxbHtzsULy0FQ=
=zcPy
-----END PGP SIGNATURE-----
_______________________________________________
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
Peter Bates
2013-07-29 13:29:24 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all
Post by Peter Manev
That is a loaded question. There are numerous dependencies - what type of traffic is predominant , what type of HW, how much traffic , how much HW resources are available , how many rules, which rule set (VRT/ET/ETPro) ....
I have between 3-4Gbps of traffic, 32 cores, 64Gb of RAM
and was testing with no rules.
However possibly the 'out of the box' suricata.yaml is not tuned/tweaked
to our requirements.

I'll revisit this shortly - in the meantime is it more sensible to
be testing against the stable 1.4.x branch or 2.x/GIT?

- --
Peter Bates
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR9m40AAoJELhVoVpEMS6RlQoH/3FE1RkikQqnu/th7dPah5Ah
fLxMQT3ZnkIMRVTBJ2NrLwsR54HtgdWuWjWjmkM5iM+T4SmlnZqEehmAhFr4IwP5
mSMbru+OV91KpfTpBI8bjcL4etEthOPoifXB/MJpxhgdSiJ+TKNBsed7wX88AOqg
sfQuwaY83Ry+aDTgnUbQjkMVvEpBDKDsVXJ2XFtzuM3uPDZ1/ESQHTORGcLq8qTb
pMlXPM5ZOdhtwR5za0qKlT/CN+c/IZw9e5FWmJCWOfGshbkvbqqsD/Xrh6POITka
iPXgavs9H7KC8ipD2Kjuc6rk8sA15OBBd61qxoVRO/xyi106oL5As7GhE83Ird4=
=XJsy
-----END PGP SIGNATURE-----

_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
Peter Manev
2013-07-29 13:43:17 UTC
Permalink
Post by Cooper F. Nelson
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all
Post by Peter Manev
That is a loaded question. There are numerous dependencies - what type of traffic is predominant , what type of HW, how much traffic , how much HW resources are available , how many rules, which rule set (VRT/ET/ETPro) ....
I have between 3-4Gbps of traffic, 32 cores, 64Gb of RAM
and was testing with no rules.
However possibly the 'out of the box' suricata.yaml is not tuned/tweaked
to our requirements.
Most likely.(kernel 3.2 and above)
I would try , just to begin with:

-afpacket , max pending packets-200K
-32 threads
-prealloc sessions-1mil
-mpm context "full"
That alone above- would be about 15-17 GB of ram right away , I think.

Then test pfring

Make sure you run the latest net card drivers.

Just my suggestion.
Post by Cooper F. Nelson
I'll revisit this shortly - in the meantime is it more sensible to
be testing against the stable 1.4.x branch or 2.x/GIT?
I would suggest 1.4.5 for production.
Post by Cooper F. Nelson
- --
Peter Bates
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR9m40AAoJELhVoVpEMS6RlQoH/3FE1RkikQqnu/th7dPah5Ah
fLxMQT3ZnkIMRVTBJ2NrLwsR54HtgdWuWjWjmkM5iM+T4SmlnZqEehmAhFr4IwP5
mSMbru+OV91KpfTpBI8bjcL4etEthOPoifXB/MJpxhgdSiJ+TKNBsed7wX88AOqg
sfQuwaY83Ry+aDTgnUbQjkMVvEpBDKDsVXJ2XFtzuM3uPDZ1/ESQHTORGcLq8qTb
pMlXPM5ZOdhtwR5za0qKlT/CN+c/IZw9e5FWmJCWOfGshbkvbqqsD/Xrh6POITka
iPXgavs9H7KC8ipD2Kjuc6rk8sA15OBBd61qxoVRO/xyi106oL5As7GhE83Ird4=
=XJsy
-----END PGP SIGNATURE-----
_______________________________________________
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

Loading...