Skip to content

Commit

Permalink
Delete pfring code
Browse files Browse the repository at this point in the history
The PFring sniffer in Packetbeat is officially unsupported for a longer time,
because it depends on a kernel module and because we don't have a good way of
testing it,
but we left in the code and docs for the people that would like to compile it
themselves. However, it appears that it's broken for a long time (#2800), so this PR
removes it from code and docs.

Closes #4585, #2800.
  • Loading branch information
Tudor Golubenco committed Jul 4, 2017
1 parent 1f97861 commit 3a99ca8
Show file tree
Hide file tree
Showing 9 changed files with 5 additions and 138 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ https://github.com/elastic/beats/compare/v6.0.0-alpha2...master[Check the HEAD d

*Packetbeat*

- Remove the already unsupported `pf_ring` sniffer option. {pull}4608[4608]

*Winlogbeat*

==== Bugfixes
Expand Down
4 changes: 0 additions & 4 deletions packetbeat/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,6 @@ ES_BEATS?=..

include ${ES_BEATS}/libbeat/scripts/Makefile

.PHONY: with_pfring
with_pfring:
go build --tags havepfring

# This is called by the beats packer before building starts
.PHONY: before-build
before-build:
Expand Down
3 changes: 0 additions & 3 deletions packetbeat/_meta/beat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,6 @@ packetbeat.interfaces.device: any
# not the fastest option.
# * af_packet, which uses memory-mapped sniffing. This option is faster than
# libpcap and doesn't require a kernel module, but it's Linux-specific.
# * pf_ring, which makes use of an ntop.org project. This setting provides the
# best sniffing speed, but it requires a kernel module, and it's Linux-specific.
# The default sniffer type is pcap.
#packetbeat.interfaces.type: pcap

# The maximum size of the packets to capture. The default is 65535, which is
Expand Down
19 changes: 3 additions & 16 deletions packetbeat/docs/capturing.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ The first option has the big advantage that there is no overhead of any kind on
your application servers. But it requires dedicated networking gear, which is
generally not available on cloud setups.

In both cases, the sniffing performance (reading packets passively from the network)
In both cases, the sniffing performance (reading packets passively from the network)
is very important. In the case of a dedicated server, better
sniffing performance means that less hardware is required. When Packetbeat is installed
sniffing performance means that less hardware is required. When Packetbeat is installed
on an existing application server, better sniffing performance means less overhead.

Currently Packetbeat has several options for traffic capturing:
Expand All @@ -22,15 +22,6 @@ Currently Packetbeat has several options for traffic capturing:
it's not the fastest option.
* `af_packet`, which uses memory mapped sniffing. This option is faster than libpcap
and doesn't require a kernel module, but it's Linux-specific.
* `pf_ring`, which makes use of an ntop.org
http://www.ntop.org/products/pf_ring/[project]. This setting provides the best
sniffing speed, but it requires recompilation and a kernel module, and it's
Linux-specific.

The `pf_ring` option provides sniffing speeds in the order of Gigabits per
second using only standard hardware, but it requires you to recompile Packetbeat
against the ntop libraries and is therefore currently not officially supported
by Elastic.

The `af_packet` option, also known as "memory-mapped sniffing," makes use of a
Linux-specific
Expand All @@ -45,10 +36,6 @@ reads from it. The poll system call is used for getting a notification for the
first packet available, but the remaining available packets can be simply read
via memory access.

This option is not quite as fast as `pf_ring` (it works to up to 200k packets
per second before dropping packets), but it requires no recompilation and no
kernel modules, and it's still a significant improvement over libpcap.

The `af_packet` sniffer can be further tuned to use more memory in exchange for
better performance. The larger the size of the circular buffer, the fewer
system calls are needed, which means that fewer CPU cycles are consumed. The default size
Expand All @@ -61,5 +48,5 @@ packetbeat.interfaces.type: af_packet
packetbeat.interfaces.buffer_size_mb: 100
------------------------------------------------------------------------------

Please see the <<configuration-interfaces>> section for more
Please see the <<configuration-interfaces>> section for more
configuration options.
Original file line number Diff line number Diff line change
Expand Up @@ -90,12 +90,6 @@ Packetbeat supports three sniffer types:
it's not the fastest option.
* `af_packet`, which uses memory-mapped sniffing. This option is faster than libpcap
and doesn't require a kernel module, but it's Linux-specific.
* `pf_ring`, which makes use of an ntop.org
http://www.ntop.org/products/pf_ring/[project]. This setting provides the best
sniffing speed, but it requires a kernel module, and it's Linux-specific.

NOTE: The `pf_ring` option requires re-compilation of Packetbeat and is not
officially supported by Elastic at this moment.

The default sniffer type is `pcap`.

Expand Down
3 changes: 0 additions & 3 deletions packetbeat/packetbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,6 @@ packetbeat.interfaces.device: any
# not the fastest option.
# * af_packet, which uses memory-mapped sniffing. This option is faster than
# libpcap and doesn't require a kernel module, but it's Linux-specific.
# * pf_ring, which makes use of an ntop.org project. This setting provides the
# best sniffing speed, but it requires a kernel module, and it's Linux-specific.
# The default sniffer type is pcap.
#packetbeat.interfaces.type: pcap

# The maximum size of the packets to capture. The default is 65535, which is
Expand Down
50 changes: 0 additions & 50 deletions packetbeat/sniffer/pfring.go

This file was deleted.

32 changes: 0 additions & 32 deletions packetbeat/sniffer/pfring_stub.go

This file was deleted.

24 changes: 0 additions & 24 deletions packetbeat/sniffer/sniffer.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (
type SnifferSetup struct {
pcapHandle *pcap.Handle
afpacketHandle *afpacketHandle
pfringHandle *pfringHandle
config *config.InterfacesConfig
isAlive bool
dumper *pcap.Dumper
Expand Down Expand Up @@ -208,27 +207,6 @@ func (sniffer *SnifferSetup) setFromConfig(config *config.InterfacesConfig) erro
}

sniffer.DataSource = gopacket.PacketDataSource(sniffer.afpacketHandle)
case "pfring", "pf_ring":
sniffer.pfringHandle, err = newPfringHandle(
sniffer.config.Device,
sniffer.config.Snaplen,
true)

if err != nil {
return err
}

err = sniffer.pfringHandle.SetBPFFilter(sniffer.filter)
if err != nil {
return fmt.Errorf("SetBPFFilter failed: %s", err)
}

err = sniffer.pfringHandle.Enable()
if err != nil {
return fmt.Errorf("Enable failed: %s", err)
}

sniffer.DataSource = gopacket.PacketDataSource(sniffer.pfringHandle)

default:
return fmt.Errorf("Unknown sniffer type: %s", sniffer.config.Type)
Expand Down Expand Up @@ -396,8 +374,6 @@ func (sniffer *SnifferSetup) Close() error {
sniffer.pcapHandle.Close()
case "af_packet":
sniffer.afpacketHandle.Close()
case "pfring", "pf_ring":
sniffer.pfringHandle.Close()
}
return nil
}
Expand Down

0 comments on commit 3a99ca8

Please sign in to comment.