Wednesday, December 12, 2012

PF_RING: tcpdump on a slave interface

I am running snort with a PF_RING enabled DAQ on CentOS using the default TNAPI drivers. I have my interfaces bonded together and snort is sniffing the bond interface. One goofy thing I noticed is when PF_RING is loaded, I cannot tcpdump on the the slave interfaces in the bond. Dumping on the bond interface works fine. For example, if eth1 and eth2 are slave interfaces in bond0 and PF_RING is enabled the following tcpdump command returns no results.
tcpdump -i eth1
If I disable PF_RING (rmmod pfring), the same tcpdump command works; which points to PF_RING as the cause of the behavior. This has been bugging the crap out of me for months.

Now here is the strange part. Recently I stumbled across something on accident because I fat fingered the tcpdump command. If I add a colon to the end of the interface name tcpdump works!
tcpdump -i eth1:
Even stranger, if I add a colon and any number it also works.
tcpdump -i eth1:7
I am perfectly fine with this behavior because it solves my original issue, but I am curious why? I have searched the hell out of google and have found nothing. I am curious if any else has experienced the same behavior.

No comments:

Post a Comment