From: Pablo Neira <pablo@eurodev.net>
To: Abraham van der Merwe <abz@frogfoot.net>
Cc: Netfilter Development <netfilter-devel@lists.netfilter.org>
Subject: Re: ULOG / netlink errors
Date: Sun, 28 Nov 2004 21:37:55 +0100 [thread overview]
Message-ID: <41AA3723.9070708@eurodev.net> (raw)
In-Reply-To: <20041128113728.GA17226@oasis.frogfoot.net>
Abraham van der Merwe wrote:
>I'm trying to gather statistics (for netflow stats) using ULOG.
>
>
Maybe the ulog target isn't the best way to gather info stats. What kind
of stats are you gathering to be precise?
>What I do:
>
># tag packets
>iptables -A FORWARD -j ULOG --ulog-cprange 64 --ulog-nlgroup 1
>
>
try also with:
modprobe ipt_ULOG nlbufsiz=131068
it's the size of the internal buffer which is sent to user space.
Some maths: 131068/64=2047, so that tells me that --ulog-qthreshold
value should be lower/equal than that.
>Then I open a netlink socket (socket AF_NETLINK,SOCK_RAW,NETLINK_NFLOG),
>increase the receive buffer size to NLBUFSIZ and capture messages using
>recvfrom().
>
>I keep getting these errors:
>
>------------< snip <------< snip <------< snip <------------
>root@mojo:~# ./tuxprobe
>Starting to log output.
>recvfrom failed: No buffer space available
>recvfrom failed: No buffer space available
>recvfrom failed: No buffer space available
>recvfrom failed: No buffer space available
>...
>------------< snip <------< snip <------< snip <------------
>
>I have tried increasing the socket buffer size with:
>
>sysctl -w net/core/rmem_max=1048576
>sysctl -w net/core/rmem_default=1048576
>
>
this is ok, it's always a good idea to reduce the probability of an
overflow. But I think that you'll have problems anyway with traffers
rates bigger than ~20 Mbits/s.
>With libpcap (or normal raw socket) on the same machine I have no problems
>capturing all the data, even with capturing complete packets so I can't see
>why above doesn't/shouldn't work.
>
>
AFAIK libpcap has also known limitations
(http://luca.ntop.org/Ring.pdf), so for high tranfers rate you'll also
get fake numbers. I don't track its status so don't know if they were
already fixed.
--
Pablo
next prev parent reply other threads:[~2004-11-28 20:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-28 11:37 ULOG / netlink errors Abraham van der Merwe
2004-11-28 20:37 ` Pablo Neira [this message]
2004-11-28 20:50 ` Pablo Neira
2004-12-16 13:41 ` Harald Welte
2004-12-16 15:42 ` Pablo Neira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41AA3723.9070708@eurodev.net \
--to=pablo@eurodev.net \
--cc=abz@frogfoot.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.