Mailing List Archive

PF_RING captures no packets from bonded interfaces

Many thanks to the developer and contributors to the PF_RING patch. I'm
quite impressed with it and hope to make real use of it in my environment.

I recently applied the PF_RING 3.0 patch to the kernel from and then installed the patched kernel onto my Suse 9.3 NIDS
box. I was able to compile the patched libpcap and relink my suite of
packet capturing apps against it, and the tools were successfully
capturing packets until I tried them against a bonded interface. My box
has a quad port NIC (just 100Mbit) and two of those ports go to a
passive tap that sniffs the upstream and downstream traffic at a
specific point on my network. Those two interfaces ("dmza" and "dmzb")
are bonded together into an interface I call "dmz". With the standard
libpcap, sniffing bonded interfaces works like a charm, but with the
PF_RING-patched libpcap, I can run tcpdump against "dmza" or "dmzb" and
see packets go by, but if I try tcpdump against the "dmz" bonded
interface, I get zero packets captured every time.

Is there any hope for using PF_RING on bonded interfaces?

Here is the code that runs at boot time to bond my "dmza" and "dmzb"
interfaces into a single virtual "dmz" interface
modprobe bonding
ip link set dev dmz up
ifconfig dmz -arp promisc up
ifenslave dmz dmza dmzb

Here's what I get when I run tcpdump against the bonded interface

# tcpdump -i dmz
Open RING [fd=3]
RING (dmz):
tcpdump: WARNING: dmz: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol
listening on dmz, link-type EN10MB (Ethernet), capture size 96 bytes

(nothing happens, so I hit ctrl-c)

RING: numPollCalls=1 [0.0 packets/call]
RING: [tot_pkts=0][tot_read=0][tot_lost=0]
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Thanks in advance for your thoughts,