af_packet in capture

540 views
Skip to first unread message

erik clark

unread,
Mar 27, 2017, 1:25:44 PM3/27/17
to Moloch Full Packet Capture
I can't seem to find any evidence that af_packet is supported by the capture nodes, but that tpacket is. Is there any likelihood that af_packet compatibility will make it into Moloch? We don't want to use pf_ring because of its third party nature, given that af_packet is native. Thanks!


Andy

unread,
Mar 27, 2017, 1:47:43 PM3/27/17
to Moloch Full Packet Capture
af_packet == tpacket

With older suricatas and other software, "af_packet" means tpacket_v1 or tpacket_v2.  Moloch only supports v3.   That said they can all live together so I don't really know if I understand your question/concern.  Newer versions of suricata support v3 I think.

Thanks,
Andy

erik clark

unread,
Mar 28, 2017, 7:35:23 AM3/28/17
to Moloch Full Packet Capture
Yeah, the reason I brought it up is that RHEL 7 does not support tpacket_v3. :/

Thanks for the clarification!

Andy

unread,
Mar 28, 2017, 8:35:20 AM3/28/17
to Moloch Full Packet Capture
Centos 7 supports tpacket v3 so I would be very surprised if RHEL 7 doesn't.  v3 was added in 3.2, what kernel are you using?

grep TPACKET /usr/include/linux/if_packet.h

erik clark

unread,
Mar 28, 2017, 9:59:20 AM3/28/17
to Moloch Full Packet Capture
RHEL7 stable production kernel is 3.10.0-X. tpacket_v3 is listed in if_packet.h, _but_, hash computing is broken and not fixed until a later revision, specifically net-next. Redhats suggested solution was to turn ingress hashing off using

ethtool -K <ingress nic> rxhash off


The goal was to try and run Suricata with af_packet on the same box as a capture node (why duplicate hardware if its listening to the same traffic and on the link not very cpu or memory intensive?)

The short of it is, to get af_packet working on RHEL7 without too much fuss, you have to tinker with ethtool a good bit, since the ixgbe driver (see http://marc.info/?l=linux-netdev&m=148181173415107&) and if_packet stack in RHEL 7 have some compatibility issues. 


Moloch "just works" with pf_ring, but I was hoping to not have to use it. Ah well.

Andy

unread,
Mar 28, 2017, 10:29:21 AM3/28/17
to Moloch Full Packet Capture

We run moloch, bro, and suricata on the same hardware with no issue.  But I guess we only have 1 instance of each?  We are still on centos 6 and just install a kernel from http://elrepo.org/linux/kernel/ to get around all issues.  Can you do the same but with v7?


Anyway just incase folks read this thread
* moloch directly supports af packet v3 mode, it does not support v1/v2, you should probably use a newer kernel for best experience.  Set the moloch reader to tpacketv3.
* moloch using the libpcap reader supports af packet in v1 or v2 mode.  This can add about 5-20% overhead, depending on hardware/traffic/...

Thanks,
Andy

erik clark

unread,
Mar 28, 2017, 12:17:20 PM3/28/17
to Moloch Full Packet Capture
Yeah, we may have to go with elrepo. Will have to get permission from the powers that be to pollute our build with out of band kernels. :) 

Thanks as always, Andy!
Reply all
Reply to author
Forward
0 new messages