Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert the napatech packet source to a plugin #11687

Closed
wants to merge 8 commits into from
Closed

Convert the napatech packet source to a plugin #11687

wants to merge 8 commits into from

Conversation

jlucovsky
Copy link
Contributor

Continuation of #11657

This PR contains the changes to distribute and build the Napatech source modules as a "capture plugin".

Describe changes:

  • Converted the Napatech source modules to be suitable for a capture plugin
  • User-level upgrade documentation

Updates:

  • Rebase and manual application of 96a0ffa to file that was deleted and then added.
  • Doc update -- use "Napatech" instead of "NAPATECH"
  • Revert unnecessary change to decode module name -- NapatechDecode.
  • Combine like commits (remove unnecessary fixup commit)
  • Doc tweaks per review feedback

Provide values to any of the below to override the defaults.

  • To use an LibHTP, Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

jlucovsky and others added 8 commits August 31, 2024 08:20
@jlucovsky
napatech: remove, to make room for plugin
ba4d6d3 
Issue: 7166
@jlucovsky
napatech: add as plugin
1067830 
Issue: 7165
@jlucovsky
napatech: load plugin by default
d1f7463 
Issue: 7165
@jlucovsky
napatech: bring back command line argument
921ed55 
Re-introduce support for command line argument "--napatech"

Issue: 7165
@jlucovsky
configure: fail on --enable-napatech and --disable-shared
e4fb1f9 
Issue: 7165

Plugins can't be build using the standard autoconf/automake
methods. We can get around this by creating our own Makefiles, but
they're often less portable.

For now, fail during ./configure instead of during compile.
@jlucovsky
doc: add napatech plugin upgrade notes
491235f 
Issue: 7165
@jlucovsky
lua: use lua from crates.io rather than github
a37e807 
Temp: cherry-pick from PR OISF#11624
@victorjulien @jlucovsky
packetpool: allow larger max-pending-packets
ea572a3 
Original limit was due to a specific data structure.

(lifted from 96a0ffa)
@jlucovsky jlucovsky mentioned this pull request Aug 31, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Aug 31, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.62%. Comparing base (15fe844) to head (ea572a3).
Report is 82 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11687      +/-   ##
==========================================
- Coverage   82.63%   82.62%   -0.02%     
==========================================
  Files         919      917       -2     
  Lines      249032   249005      -27     
==========================================
- Hits       205795   205742      -53     
- Misses      43237    43263      +26
Flag Coverage Δ
fuzzcorpus 60.87% <ø> (+<0.01%) ⬆️
livemode 18.74% <ø> (-0.01%) ⬇️
pcap 44.13% <ø> (-0.02%) ⬇️
suricata-verify 61.86% <ø> (-0.04%) ⬇️
unittests 59.00% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 22304

@jlucovsky
Copy link
Contributor Author

@ralpheastwood I'm requesting your input on this PR. I've built and tested this on a system with a NT40. I'd like to hear of your experience and if there are any items requiring attention.

@ralpheastwood
Copy link
Contributor

Hi @jlucovsky - sorry I've been on vacation. One of my colleagues is testing it now.

@ralpheastwood
Copy link
Contributor

Hi @jlucovsky - we're experiencing some issues loading the plugin. We added

  plugins:
    - /usr/local/lib/suricata/napatech.so

To the configuration file and ran it using:

suricata -c ./suricata.yaml --runmode workers -vvv

We also tried it with --napatech.

192.168.0.200_2024-09-19_15-22-04.log

@jlucovsky
Copy link
Contributor Author

Hi @jlucovsky - we're experiencing some issues loading the plugin. We added

  plugins:
    - /usr/local/lib/suricata/napatech.so

To the configuration file and ran it using:

suricata -c ./suricata.yaml --runmode workers -vvv

We also tried it with --napatech.

192.168.0.200_2024-09-19_15-22-04.log

Can you post the output of suricate --build-info?

Have you tried adding --capture-plugin=napatech to the command line?

@ralpheastwood
Copy link
Contributor

ralpheastwood commented Sep 20, 2024
edited
Loading

Hi @jlucovsky, the --capture-plugin=napatech was the missing piece.

My colleague has managed to get it to work with a modified version of his configuration file. He did notice that with the default suricata.yaml, there was packet drops as compared to the one he normally used (with previous versions). He is comparing the configuration now to see what the differences are.

192.168.0.200_2024-09-20_16-03-48.log

@jlucovsky
Copy link
Contributor Author

jlucovsky commented Sep 20, 2024
edited
Loading

Hi @jlucovsky, the --capture-plugin=napatech was the missing piece.

My colleague has managed to get it to work with a modified version of his configuration file. He did notice that with the default suricata.yaml, there was packet drops as compared to the one he normally used (with previous versions). He is comparing the configuration now to see what the differences are.

192.168.0.200_2024-09-20_16-03-48.log

I'd like to hear what changes, if any, were needed to correct the packet drops.
The build-info output shows that hyperscan isn't being used; depending on the Suricata rules and the traffic, that could be a reason for the packet drops. Hyperscan should always be used

The command line option is in this README

@jlucovsky jlucovsky mentioned this pull request Sep 23, 2024
Open
@jlucovsky
Copy link
Contributor Author

Continued in #11819

@jlucovsky jlucovsky closed this Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jlucovsky @suricata-qa @ralpheastwood @victorjulien